When does PCI Compliance Start?

The GDPR mantra of security and privacy “by design and by default” reminds us that in every respect of a new product program security and privacy are expected to be baked in from the very beginning. This means product requirement documentation, engineering responses, code design, database schema development, test and release documentation all need to have a plan for secure development. We all know this is sadly rare in many projects.

However PCI DSS says one must develop secure systems, from each of its domain standpoints, although only requirement two - for hardening servers, and ensuring that all defaults are changed, and requirement 6 - for developing secure code and maintaining vulnerability awareness, talk about development explicitly.

When you think about it though, the standard requires some form of development for all of its requirements as shown (this is not an exhaustive list)


Examples of the Development Tasks


Identifying and justifying all open ports and protocols between network segments


Hardening standards for all computing assets


Storage silos and cryptographic architecture


Communications protocols and


Antivirus installation and update mechanisms


Vulnerability awareness and code development procedures


An Identity management architecture


An authentication mechanism


A comprehensive physical protection scheme for all assets


Creating a logging and alerting strategy, ensuring all required logs are created


Ensuring that all required testing is performed on the dates mandated


Writing policies and procedures for each element, documenting who’s responsible for execution, training courses, incident response, and vendor management.


So, you just spent two years developing and tweaking your product, application, or website and you think you are ready for production. Can you just turn that enormous stealth infrastructure into a smoothly humming, payment accepting, shiny machine by changing a few IP addresses or DNS names? Not if it does not have all the PCI DSS records required for demonstrating compliance on Day One!

In a future blog, we'll talk about what we consider "significant changes" to the Cardholder Data Environment (CDE), which some clients don’t think refers to them since they are a new client and this is a new product. However, the very act of making the environment open to your customers is a significant change, and compliance is required from day one. Your acquiring bank will not be very happy if on day two someone hacks into your system (because they read the press release) and steals the 100 card numbers you so thrillingly collected, due to something that was not compliant with the DSS.

It’s quite rare these days to find hardware that’s been in service for more than about four years, but a thorough PCI DSS assessment is going to want to trace the hardening of those servers back to the beginning. Don’t discard your hardening guides, decision process documentation, or the update authorizations that have occurred in the intervening time period. It should be possible to trace from the original system release to the current day to validate the configuration using those guides and their updates, the change management paperwork and go-live testing results to prove there are no outstanding vulnerabilities.

While the majority of a PCI DSS assessment is point in time or reaches back at most to the prior year, those open ports in the firewall, roles and authorizations, the standards used to develop the hardening guides, and software, and any configuration changes all need to be traceable all the way back.

Helping your QSA by keeping annual review and change descriptions blocks in each of your policies, procedures, and standards will also make your assessment smoother.

Truvantis is a PCI QSA company, ready and willing to assist you in making the best decisions to minimize your compliance burden for a new implementation or ensure that you have adequately addressed all the PCI DSS requirements in a more mature environment.

Contact Us
Talk to one of our PCI DSS consultants about the best way to build for PCI DSS compliance and validation
Schedule a call
Contact Us