As a company interested or required to become PCI DSS compliant, you have a list of key controls you must have in place with proper assessments around to provide the PCI DSS assessors with during the testing period. Being able to easily identify where these controls live and how they are managed within your organization is essential. This article will give you a comprehensive overview of controls you need to get a jump start on the PCI DSS certification.
A big focal point of the validation will be how you manage your company's workstations. This will include being able to properly identify who is assigned to what machine. Being able to show that each machine has antivirus software installed and being able to provide the update history will be big factors in the initial assessment period. The security policies around your workstations will also be examined for things like password timeout enforcement, password complexity, and password expiry/reset--just to name a few. Having a solid set of policies and standards around your network controls will be vital to your success. Being able to show where your cardholder data is stored, how it is stored, how it is encrypted, how is it accessed, and any compensating controls around those factors will play a huge role in proving your security stance portion. Not only will they need to see actual documentation of these policies, you will need to physically and digitally show them the control as well.
The PCI DSS assessors (QSAs) will need to see the ins and outs of your servers as well. This will include supporting documentation around how you are protecting any sensitive client communications. Documentation like an encryption policy, server hardening standard, and sensitive data transfer procedures are only some of several documents needed in this effort. Below is a quick hit list of some important assets and sectors that will need to be covered by a policy/standard.
- Firewalls/load balancers
- How backups are performed
- Physical security assets (cameras)
- Cloud environments
- Wireless networking
- Storage devices
- Access management
Finally, having an effective way to test and assess these controls and policies will be key to remaining compliant in the future. PCI DSS compliance requires an annual validation. At the end of the day, being able to focus on these key controls and ensuring they are automatically implemented and reviewed regularly by the proper management is crucial. It may be a rough routine at first, but after the first year of validation, you will not only get the hang of it, you will improve your overall security posture.