How to prepare for PCI DSS compliance

Payment card securityCompliance with the Payment Card Industry Data Security Standard (PCI DSS) is notoriously complicated. The PCI DSS applies to merchants and service providers that process, transmit or store cardholder data. Merchants that have subcontracted all PCI DSS activities to a third party are still responsible for ensuring that all contracted parties comply with the Standard.

Compliance requirements differ depending on the size of the organisation as well as its role in the process. The criteria that a merchant or service provider has to meet are set by the individual payment brands (Visa, American Express, MasterCard, etc.) and enforced by acquiring banks. Each payment brand has its own compliance programme and sets criteria for compliance based on the volume of transactions made by a merchant or service provider. In general, there are four merchant levels and two levels of service provider, but this varies by payment brand.

Gap analysis and scoping

Understanding and defining the scope of the project is one of the biggest and most important tasks when preparing to comply with the PCI DSS. If the organisation gets the scope wrong, it may affect the rest of the project and almost certainly lead to non–compliance.

It is essential to correctly identify the cardholder data environment (CDE), including where the data sits on the system (both in terms of hardware and software), all of the organisational processes that come into contact with payment card data and when they come into contact with this data.

The PCI DSS strongly recommends that merchants and service providers reduce the scope of the CDE. This is typically achieved by isolating the CDE. The organisation benefits from this by reducing costs and the complexity of both the initial assessment and the maintenance of PCI controls.

Once you have completed your initial scoping of the CDE, conducting a gap analysis will help you to determine areas that do not meet the compliance requirements and to develop a remediation plan. It may also be necessary to conduct vulnerability assessments and penetration testing, among other scans and tests, to identify security levels in accordance with the PCI DSS. The PCI DSS comprises 12 different requirements and over 220 sub-requirements, some of which can place an incredible burden on an organisation and many of which are subject to interpretation.

Given the importance of these initial stages of the compliance process, it is sensible to engage a qualified supplier to conduct the gap analysis for you and to provide a strategic roadmap that explains the changes you need to make to achieve compliance.

IT Governance’s PCI DSS Gap Analysis service provides a detailed review of your current PCI compliance posture and produces a strategic roadmap that can be implemented to achieve full compliance with the Standard. Find out more >>