As a company interested or required to become PCI DSS compliant, there is a list of key controls you must have in place, and appropriate evidence to be to be retained to provide the PCI DSS assessors during the testing period. Being able to easily identify where these controls live and how they are managed within your organization is essential. This article will give you an overview of some of the controls you will need to get a jump start on the PCI DSS compliance.
One focal point of the validation will be how you manage your company's workstations used to manage the processing of cardholder data. This will include being able to identify who is assigned to what machine or service, being able to show that each machine has antivirus software installed, active, and updated regularly, as well as being able to provide the operating system and application update history for each device.
The security policies covering your entire environment will also be examined for things like password timeout enforcement, password complexity requirements, and password expiry/reset procedures--just to name a few.
Having a solid set of policies and standards around your network controls will be vital to your success, as will being able to show where your cardholder data is stored, how it is stored, how it is encrypted, and how it is accessed. Not only will the assessor need to see actual documentation of these policies, they will also need to see the control configurations and proof of their effectiveness.
The PCI DSS assessors (QSAs) will need to see the ins and outs of your servers as well. Documentation such as the encryption architecture, server hardening standards, and sensitive data transfer procedures are only some of several documents needed in this effort. Below is a quick hit list of some of the important assets and sectors that will need to be covered by your policies, procedures, and standards.
- Storage devices
- Networking, firewalls and load balancers
- Software and application development and deployment
- How backups are performed
- Physical security assets (cameras)
- Cloud environments
- Wireless networking
- Identity and access management
- Incident response
Finally, having an effective way to test that these policies are being adhered to, and implementing technology to ensure that the controls are maintained are key to becoming and remaining compliant. While PCI DSS compliance only appears to require an annual validation, it is essential to be able to prove that all the relevant requirements are being met in a business-as-usual fashion throughout the year. It may be a rough routine at first, but after the first year of validation, you will not only get the hang of it, but you will also improve your overall security posture.
Truvantis is a full-service information security consulting company with an highly trained and experienced staff who can assist you in starting or completing any part of the compliance journey. Whether you need a gap analysis, written policies and procedures, implementation guidance, or an assessment, our Professional Services team is available to assist, not just with PCI, but other common standards such as ISO 27001, ISO 27701, CIS, SOC 2, CCPA, CPRA, GDPR, HIPAA and more. Use the Contact Us button to start the conversation.