The journey towards payment card industry data security standard (PCI DSS) compliance can seem daunting. While there are only a handful of top-level tasks to complete, there are dozens of sub-requirements and goals to meet for each, all of which may take organizations months to implement.
Even with the requirements clearly outlined, it’s difficult to know where to start.
To help provide guidance, here is our seven step PCI compliance checklist to get you started:
1. Identify the scope of the cardholder data environment
The PCI Security Standards Council’s (PCI SSC) requirement sheet clearly states that “maintain(ing) an inventory of system components that are in scope for PCI DSS” is a crucial step to protect your systems and networks. You can’t secure it if you don’t know what “it” is.
Determining the scope of PCI DSS compliance involves identifying the people, processes, and technologies that store, process, or transmit cardholder data.
By extension, that includes anything you use to secure those systems and processes, including any service providers that you entrust with cardholder data or that you rely on to protect you cardholder data..
2. Reduce the scope of your cardholder data environment
Be aggressive about minimizing your risk of compliance breach with the following scope-reduction controls:
- Clearly segment your environment, separating in-scope from out (but anything you use to make this segmentation — like a firewall — will itself become in-scope)
- Utilize a P2PE certified encryption solution, or tokenization
- Outsource your cardholder data handling to people who are already PCI DSS compliant
- Abandon business processes that you don’t actually need and aren’t worth the burden of including them in-scope
By doing this, you’ll make it easier on your company to become PCI DSS compliant with minimal waste and fewer challenges.
3. Don’t store cardholder data if you don’t need it
The less information you store, the less that could be stolen during a breach or accidental leak. Any cardholder data that you store must be encrypted and secured, and that brings its own set of complications.
While it might seem like a significant change to adjust your business processes now to store less data, it’ll pay off in the long run by reducing the amount of work you have to do to become and remain compliant.
4. If you have not recently completed a validation exercise, then start with a gap analysis
To assess how your business stacks up against the PCI DSS requirements, you may consider performing a validation assessment. Instead, we advise you skip going through the formal exercise of validation assessment if you already know you have compliance gaps.
If you know there are milestones or goals where you are lacking, don’t waste your time and money to find out what you already know. Have an expert evaluate your environment less formally first to identify what you need to fix.
5. If you have gaps in your PCI DSS program, document them using the council's prioritized approach spreadsheet
The PCI Security Standards Council’s requirement document is thorough, and it enables you to track what needs to be done in six realistic milestones with sub-requirements.
After reviewing what is expected in order to handle cardholder data, you can collectively outline your plan for achieving compliance based on the council’s recommendations for remediation activities in the order of what you want to tackle first.
Though you have an obligation to be fully compliant with the PCI DSS standard, the prioritized approach tool does list the milestones in priority order so you can fix the most important items first.
6. Remember to continually train employees as you become compliant
Because it is human error that often leads to data breaches, it’s important that all of the members of your organization do their part to protect the data you store. It’s essential to keep your company’s human element informed. They’ll be the ones to maintain compliance day-to-day, making them the most important part of your compliance journey.
7. Once it’s all in place, do your first formal validation exercise
Depending on how many cardholder data transactions you handle per year, you may be able to perform this validation yourself, or you may be required to have a Qualified Security Assessor (QSA) come on-site.
Even if you are doing a self-assessment, you can still ask a QSA to assist so you can be confident that all of your compliance needs are being addressed by a professional.
Turn to a Trusted Advisor
Anyone can read the PCI SSC’s requirements for cardholder data handling and formulate a plan for reaching compliance. However, they may end up spending more time and money than is necessary. With a trusted advisor leading you through the journey, you can make decisions that will help to reduce its impact on your business.
Truvantis is a QSAmade up of a team of senior technology experts. Unlike others with an accounting background, we know that security compliance is more than a one-size-fits-all solution.
Learn more about our PCI DSS services and contact us today to start becoming compliant.