All organisations that accept card payments must comply with the PCI DSS (Payment Card Industry Data Security Standard). This is not a simple task, and if you make mistakes when implementing the Standard, you’ll struggle to achieve compliance and expose yourself to data breaches and regulatory fines.
We understand that PCI DSS compliance is difficult, so we’ve laid out some recommendations based on our experience as a QSA (Qualified Security Assessor).
Create a roadmap for compliance
Conduct a PCI DSS gap analysis or pre-audit assessment to determine your organisation’s current level of compliance. This will show you which requirements you need to address and how much work you need to do.
A gap analysis is often proposed before a formal QSA assessment for an AoC (Attestation of Compliance), and can help organisations establish whether they are ready for a formal RoC (Report on Compliance) audit. After the gap analysis, your organisation will receive an assessment report and a roadmap of the steps needed to achieve accredited certification to the Standard.
A PCI DSS gap analysis is similar to an RoC assessment, and includes a detailed review of the organisation’s compliance activities, such as on-site interviews with staff, an assessment of the in-scope system components and configurations, an examination of out-of-scope components and a physical and logical data flow analysis.
Reduce the scope of the cardholder data environment
You can simplify your PCI DSS compliance project by analysing where your organisation stores, processes and transmits data, and streamlining those processes. This can be achieved by reducing the amount of data you collect or the number of locations where you handle data.
You should be careful about outsourcing the handling of cardholder data to third parties, as you’ll still be responsible for making sure the data processing meets the Standard’s requirements.
Don’t separate PCI DSS compliance from the rest of your security framework
Many organisations make the mistake of separating PCI DSS compliance from their overall IT governance, risk and compliance programmes. The PCI DSS is a baseline information security standard, so isolating it from the rest of your organisation’s security framework increases the risk of data breaches.
To achieve and maintain compliance, organisations should adopt an integrated approach that’s part of their everyday approach to processes, technology and enterprise-wide staff education.
PCI DSS compliance can be challenging, but the PCI DSS Documentation Toolkit provides the direction and tools to streamline your project. Designed by a leading PCI QSA, it contains all the expert guidance, advice and fully customisable documentation templates you need, allowing you to:
- Become your own expert with professional guidance while saving time and avoiding mistakes;
- Work from PCI DSS v3.2-compliant documentation that you can be sure is accurate and aligned with the Standard; and
- Embed the documentation in your organisation quickly and easily by using the pre-formatted templates.