We know, we know. You merely consider PCI compliance and you’ve already hit overload. Now, while it provides a challenge, it really has improved protection in three significant ways:
- Improved overall security posture and reduction in costly fines and data breaches.
- Organizations are better prepared to detect and prevent attacks.
- Operational efficiency is improved when policies and procedures are defined and documented.
I think maybe you’re warming up to the idea of ensuring your organization is PCI DSS compliant, so here are the 4 steps you need to focus on for success.
- Gap Analysis. Get your work friends together for a party! A planning/scoping party. It’s going to be fun, I promise. What you’re going to want to do is take a good look at how your organization plans and scopes policies, processes, procedures, controls and technology. Once you’ve documented all of that you’ll be ready to do the gap analysis and identify where you have gaps in compliance.
- Now that you know what your gaps are, you’re going to need to implement control to remediate the gaps or identify an alternative control that still gets you to your preferred state. When that’s sorted out, you’re going to need to test your theory and validate that the control actually works.
- PCI Assessment. Now it’s time to put it to the test. Collect sample documentation, run controls, collect evidence and assess your PCI compliance.
- Report on Compliance. Last but certainly not least, you’ll need to be prepared to issue a report on your compliance, have it attested and then submit that to the correct regulatory body or partner organization (such as client bank or credit card vendor).
The last thing to keep in mind is that this is a continuous process, not a “one and done” scenario. Adopt the Assess-Remediation-Report process as your regular approach and you’ll be in a good place.