- December 30, 2012
PCI DSS compliance is a must for merchants and service providers involved in handling of cardholder data, however, many organizations unknowingly walk into significant technical and operational challenges, ultimately resulting in serious setbacks for their organization. But it doesn’t have to be this way, especially if businesses are keenly aware of the 5 biggest mistakes to avoid for PCI DSS compliance. Getting it right the first time means saving thousands of dollars and earning compliance in a cost-effective, seamless and transparent manner. NDB Advisory PCI-QSA Charles Denyer, reveals the following 5 biggest mistakes often made by companies undertaking PCI compliance and the proactive steps to take for ensuring these issues hopefully never fully surface:
1. Not conducting a formal Readiness Assessment. It’s important with PCI DSS compliance to truly understand all facets of the Payment Card Industry Data Security Standards (PCI DSS) provisions, which essentially means answering the “who, what, when, where, and why” of PCI with a comprehensive Readiness Assessment. And by no means should it be looked upon as yet another added cost to the engagement, rather, a proactive and necessary measure for properly defining and understanding many important facet of PCI, which by the way, is always a moving target, to say the least. A competent, well-skilled PCI-QSA, such as Charles Denyer of NDB Advisory, can provide your organization with a PCI DSS Readiness Assessment. Knowing what you are getting into is important!
2. Having no buy in from senior management and others. “Going it alone” as the saying goes, can have its risks and rewards – but in the case of PCI DSS compliance – it’s not only a bad idea, but one that creates real challenges for organizations. Sure management may very well be aware of their organization undertaking PCI compliance, but have they provided true operational and financial support, have they taken the time to really understand the commitment and effort needed? If not, then it’s time to make them aware of this, and soon. Remember, setting expectations for PCI compliance is a must, no questions about it.
3. Failing to understand PCI Scope. Organizations struggle with this immensely – after all – determining the actual scope for purposes of PCI compliance can be challenging, and it’s not always a black and white answer? Do you have a “flat” network? What is the true definition of the cardholder data environment (CDE)? What third-party providers are in scope? These, and many, many other questions, often require thoughtful consideration for PCI compliance.
4. Not conducting Remediation efforts. As a PCI-QSA, I’m amazed at the lack of remediation efforts by companies pursuing PCI compliance. What I find more troubling is that these remediation efforts – when even conducted – are only undertaken for a sample of system components, not the entire population of in-scope items. Being compliant with the Payment Card Industry Data Security Standards means meeting all the stated requirements for ALL in-scope systems components, not just a chosen few. A PCI-QSA with true independence and professionalism will always tell their clients that, and that’s exactly what I’m doing here! Simply put, remediate, and remediate all items that are in-scope for an actual PCI DSS assessment.
5. Failing to recognize the importance of policies and procedures. Here’s an issue that seems to go unnoticed many times regarding PCI compliance – after all – how challenging and time-consuming can it really be to develop PCI policies and procedures? Very challenging and time-consuming, just look at the amount of documents that’s required by PCI – policies for this, procedures for that – get the point? Sure, PCI compliance is technical in nature, but don’t lose sight of one of the most important requirements, and that’s developing a comprehensive set of PCI policies and procedures. As a PCI-QSA, my advice is to hire an expert consultant to develop a customized set of these policies (which is part of the services offered by NDB Advisory) or to use the high-quality PCI security policies from pcipolicyportal.com.
If you need assistance with PCI compliance, particularly for an on-site assessment by a PCI-QSA, contact Charles Denyer at email@example.com or at 1-800-277-5415 – ext. 705.
About Charles Denyer
Charles Denyer is a member of NDB, a nationally recognized firm specializing in Regulation AB, Service Organization Control (SOC) reporting (SSAE 16, AT 101, Trust Services Principles | TSP), ISAE 3402, FISMA, NIST, HIPAA, ISO and PCI DSS compliance, along with many other regulatory compliance initiatives. He is also actively involved in numerous professional associations and organizations for a wide range of industries and business sectors, such as the American Nuclear Society (ANS), ISACA, and the Cloud Security Alliance (CSA), just to name a few.
Additionally, Charles holds numerous accounting and technology certifications along with a Masters in Information and Telecommunication Systems from the Johns Hopkins University and a Masters in Nuclear Engineering from the University of Tennessee at Knoxville. He has a keen interest in all topics related to information security, national security and homeland defense, and conducts independent research projects on specific subject matter for various entities.
Author: Charles Denyer