If your organisation stores, transmits or processes payment card data, PCI compliance is something you have to do – but as compliance is based on a self-assessment process for the majority of merchants, how can you be sure you’re doing it well?
Setting aside time to review existing policies, procedures, network architecture, software and protective measures is time well spent – after all, you don’t want a data breach to be the first sign that you aren’t fully compliant!
As a PCI Qualified Security Assessor, Geraint Williams is well-practiced in spotting areas of non-compliance. These are just 3 of his time-saving tips for starting a PCI DSS compliance project:
1. Read the Navigating PCI DSS document
Navigating PCI DSS is a free document produced by the PCI Security Standards Council and it provides a clear outline of the intent of the standard. If you’re starting a PCI DSS project this will set you on the right path.
2. Start by understanding the complete scope of your organisation’s card data environment
The PCI DSS applies to all system components, including network components, servers, or applications that are included in or connected to the cardholder data environment – this can get complicated!
Accurately mapping the flow of card data through your organisation is the key to getting your scope right. You need to consider all the different areas within your organisation, plus all instances where data is sent out to external service providers too.
Once you have an accurate scope, putting appropriate procedures and processes in place to ensure compliance is relatively easy.
3. Stick to best practice guidelines – you’ll save time in the long-run
The PCI Security Standards Council has developed a best practice approach to compliance – so everything you need to achieve and maintain compliance is available, it’s just a matter of taking time to review and act on their recommendations.
Whilst this might take longer in the short-term, implementing a best practice approach will save you time in the long-run.
With time-saving in mind, we’ve developed the PCI DSS Implementation and Maintenance Training course to equip busy professionals with the skills and knowledge required to implement an efficient, best practice approach to compliance.
If you are new to this standard, you may find this free green paper handy: PCI DSS FAQs