The Payment Card Industry Data Security Standard (PCI DSS) is required by contract for those handling cardholder data, whether you are a startup or a global enterprise.
Your business must be compliant at all times, and your compliance must be validated annually. You must also comply with every one of the PCI CSS controls, or, failing that, implement compensating controls that achieve the same purpose.
While PCI DSS compliance is detailed and complex, it’s certainly achievable. And if you do it well, you can achieve compliance without a huge impact on your business.
Here are five tips for becoming and ensuring your business stays PCI DSS compliant:
1. Minimize your scope
Logistically speaking, the more assets that need your protection, the higher your risk. The first thing you can do to move closer towards PCI DSS compliance is to isolate the scope of devices to as small of a number as possible.
Network devices that include firewalls, switches, wireless access points, routers, and network appliances are subject to network segmentation, whereas it’s best to separate systems that store, process, and transmit cardholder data from those that do not.
You can do this by installing and maintaining a firewall configuration to isolate cardholder data, implementing strong access control measures, and other methods of securing your networks and systems.
Compliance becomes much more manageable and less of a burden to your business when you can minimize your scope.
2. Outsource and eliminate as much cardholder data handling as you can
PCI DSS compliance can involve many layers of policies, process, procedures, and standards — all which are different. Because of the complexity of maintaining your organization’s compliance and documentation, we recommended turning to professional PCI DSS handlers whenever possible.
There’s an entire industry centered around the payment card industry data security standard landscape, with experts here to make it easy. If you can use a service provider to process transactions and simply give you the money, outsource it.
If you don’t need to store it, then don’t.
3. Use point-to-point encryption and tokenization wherever possible
PCI point-to-point encryption standard (P2PE) and PCI token service provider security requirements are additional standards designed to address specific areas of cardholder security that are not addressed directly by the core PCI DSS standard.
Both are supplemental ways to reduce your scope:
This method works by encryption of payment cardholder data and secure management of encryption and decryption devices. For instance, encryption may allow a pin pad to remain off a network so it doesn’t suck the rest of the infrastructure into scope.
Think of it as a compliance tunnel from the point-of-sale to the bank. By using P2PE-certified solutions, you can take entire network segments out of scope.
Tokens allow you to replace primary account numbers (PANs) with an alternative or surrogate value. In this way, only one vendor stores the card number. Every time the PAN is requested from a merchant, you get a token, not a credit card number, making it safe from hackers.
With tokenization, you can retain the ability to charge a card without needing to store card number.
4. Understand that PCI DSS compliance is not an IT issue
Some companies make the mistake of shoveling compliance requirements onto their Information Technology department, exclusively. However, IT should not and cannot be the sole owner of this responsibility.
PCI DSS compliance matters involve collaboration across many internal departments, including human resources (HR), business process owners, research and development (R&D), legal, etc.
For instance, HR may take ownership of maintaining the policies, process, procedures and standards around background checks, while R&D, legal, and other departments will have their own security responsibilities to maintain and enforce.
Additionally, PCI DSS compliance requires executive-level sponsorship and leadership to maintain. By uniting your teams and educating them on their role in the PCI DSS equation, you are empowering your business to collaborate on your compliance initiative.
5. If you’re not yet compliant, take a phased approach to becoming compliant
Big changes don’t happen overnight. PCI DSS provides six security milestones for prioritizing compliance efforts. This structured prioritized approach is a pragmatic approach to give your business “quick wins” along the road to compliance, and it’s a clear roadmap you can use to address its risks in order of priority.
Through this phased approach, you will address the following milestones:
- Remove sensitive authentication data and limit data retention.
- Protect systems and networks, and be prepared to respond to a system breach.
- Secure payment card applications.
- Monitor and control access to your systems.
- Protect stored cardholder data.
- Finalize remaining compliance efforts, and ensure all controls are in place.
The PCI Security Standards Council details its requirements here, but even with the right checklists and resources, it can be an endeavor to hit each and every one quickly and efficiently.
A trusted specialist can help you tackle each milestone in a set timeline to reach your compliance goals.
Expert Assistance from Start to Finish
There are a number of requirements to achieve PCI DSS compliance. Even with all the resources and help at your fingertips, it can be complex to digest and difficult to execute on.
Our specialists are here to help. Explore our PCI DSS QSA assessment services and achieve and maintain compliance with ease.