Merchants and service providers are required to comply with the Payment Card Industry Data Security Standard (PCI DSS), which represents a set of guidelines for securing card data. If a business is found to be noncompliant, it can suffer considerable repercussions.
Despite this, the Verizon 2014 PCI Compliance Report revealed that in 2013 only 11.1% of organisations fully complied with the requirements of the PCI DSS, and only one in five organisations came close to complying and passed 95%+ of controls.
Moreover, organisations must meet the 1 January 2015 deadline for complying with version 3 of the PCI DSS (version 2 is being retired on 31 December 2014). The new version stipulates that compliance monitoring should be an ongoing project.
There are a few key areas you should focus on when complying with the Standard.
1. Reduce the cardholder data environment
It has long been recommended that the scope of the cardholder data environment is reduced to simplify implementation of the PCI DSS. Scope reduction can be achieved through a number of methodologies, including network segmentation.
For further guidance on how to achieve this, download the free green paper: PCI DSS: Reducing the cardholder data environment.
2. Create the necessary documentation
Writing documents may be regarded as a ‘tedious’ or ‘time consuming’ task, but it is an essential aspect of any information security management system. Organisations need to know where cardholder data sits within their infrastructure, who has access to it and what layers of protection are being applied. The relevant policies and processes should be documented, implemented and kept up-to-date. Using pre-written PCI DSS document templates will help save time and resource while ensuring the most important processes are documented and updated.
3. Develop a penetration testing methodology
PCI DSS v3 makes it clear that organisations need to test segmentation of their cardholder data on their network as part of internal penetration testing. Additionally, organisations are required to have a methodology for penetration testing based on industry-accepted approaches, and ensure that testing is conducted across the entire CDE perimeter and critical systems. Companies must specify retention of penetration testing results and the results of remediation activities.
4. Educate your employees
Ensure that your employees are aware of their responsibility to protect customers’ cardholder data and the procedures in place to do so. PCI DSS v3.0 clarifies the requirements for password education, in addition to changes in the requirements involving passwords and authentication. At the same time, new requirements on providing point-of-sale security training and education aim to improve the security of card transactions.
Web-based PCI DSS e-learning can help to increase employees’ awareness of the PCI DSS requirements, and to provide clear and simple explanations of what companies and individual employees must do to meet the requirements of the current version (v3.0) of the Standard.
5. Ensure you nurture PCI skills internally
In order for your organisation to monitor compliance on an ongoing basis and perform daily PCI tasks, you need to train people within your team. Look at this as an investment rather than an expense, given the importance of security for your organisation and the potential financial and reputation damage that could result from a breach. You need people whose skills and knowledge you can trust.
Attending a PCI DSS v3 SAQ Workshop will help you complete the new PCI DSS v3 self-assessment questionnaires (SAQs). The PCI DSS Lead Implementer course, meanwhile, will ensure you develop the practical skills required to comply with the Standard.
6. Clarify the relationship between merchants and service providers
Requirement 12.8.5 of PCI DSS v3 mandates maintaining information describing which PCI DSS requirements are managed by each service provider, and which are managed by the organisation itself. This means ensuring that the point where the responsibility for protection of cardholder details moves from the merchant to the service provider is recorded and agreed between the merchant and the service provider, reducing misunderstandings.
7. Appoint a PCI QSA company
There’s no doubt that complying with the PCI DSS for the first time or maintaining compliance isn’t an easy project. Even if you can rely on internal resources, there will be instances when you may need help with certain aspects of the project. Rather than ignoring the problems, or handling them incorrectly, it’s better to seek professional help – after all, your company’s security is at stake. Therefore, look to appoint a PCI QSA company you trust that is able to provide ongoing support as and when you need it.