Mapping out PCI DSS Compliance for your Organization
PCI DSS Compliance is not an overnight process; rather, it's the collaboration of numerous initiatives undertaken by various personnel within your organization, all working towards a common goal. In short, it can sometimes be a monumental effort needed by all for ensuring PCI DSS compliance is ultimately successful. So, where do you begin, what’s needed of you and your organization, and where do you find the tools and resources for undertaking PCI DSS compliance?
Outlined are key activities, deliverables, and milestones for ensuring your organization is on the right path for PCI DSS compliance.
- Phase I: PCI DSS Readiness Assessment
- Phase II: Remediation & Implementation for PCI DSS
- Phase III: Assessment & Reporting for PCI DSS
PHASE I: PCI DSS READINESS ASSESSMENT
If your organization is new to PCI DSS compliance, then it's wise to begin the process with a Readiness Assessment which helps pave the way toward successful compliance by undertaking the following activities:
- In-depth scoping analysis as it related to the PCI DSS criteria and its 12 core areas.
- Review and analysis of current policies, procedures, and initiatives throughout the organization for meeting PCI DSS compliance.
- Analysis of debit/credit (i.e., payment) Card "Transaction Environment"
- Analysis of hardware/software systems, components and all other related application and network layer devices.
- Identifying and analyzing all significant third party outsourcers and managed service providers used by your organization.
- Internal assessment of available personnel within your organization.
- Cursory, initial walk-through of all 12 core PCI DSS standards necessary for meeting compliance.
PHASE II: REMEDIATION & IMPLEMENTATION FOR PCI DSS
Immediately after the completion of a PCI DSS Readiness Assessment, it's critical that organizations take corrective action on any deficiencies or weaknesses found that may serve as a roadblock for successful PCI DSS compliance. Generally, one of the areas of concern is that of documented policies and procedures. While most organizations are very good at what they do, they simply lacking many of these much needed policies and procedures that are so vital to PCI DSS compliance. Thus, the development of a companywide "Corporate Security Policy & Procedure" Handbook for helping meet the demands as set forth for PCI DSS compliance is essential. NDB Advisory can assist in helping developing these documents, creating highly customized policies and procedures for your company.
In addition to the policies and procedures, additional recommendations may be given on any number of topics or issues regarding PCI DSS compliance, such as adding, removing and modifying application and network layer devices, enforcing additional security procedures, or a host of other requirements. And because each entity has different needs and requirements that are based on a number of parameters, it’s more proof of why a Phase I PCI DSS Readiness Assessment is considered crucial.
In short, the remediation and implementation phase is a vital element for ensuring your organization meets the rigorous demands set forth for PCI DSS compliance.
PHASE III: ASSESSMENT & REPORTING FOR PCI DSS
The actual PCI DSS assessment is not a standalone process that starts from scratch, rather, it is collection of efforts continued over from the Readiness Assessment and the implementation phases. All the time and effort put into Phases I and II have prepared your organization for the assessment and all testing and validation activities that accompany it. Upon completion of the PCI DSS assessment, there are a host of reporting and deliverable requirements necessary for final confirmation of successful PCI DSS compliance. Reporting and submittal of compliance can become complex, as there are a number of different protocols to follow. Your PCI DSS Qualified Security Assessor (QSA) will help assist and guide you on these administrative matters.
Author: Charles Denyer