Why should you follow a prioritised approach for PCI DSS compliance?


To help secure payment card data and achieve PCI DSS compliance, a prioritised approach can help to incrementally protect against risk factors and threats.

The PCI Security Standards Council has developed a Prioritised Approach, which provides a structured guide to track compliance by prioritising the top compliance activities, based on six key milestones.

It is not a substitute for the twelve PCI DSS requirements, but does facilitate a faster way of approaching compliance by identifying high risk areas, escalating threats and helping to monitor ongoing compliance.

Due to the comprehensive nature of the Standard, many people who are responsible for cardholder data security may wonder where to start the continuous journey of compliance. According to the PCI Security Standards Council, “The roadmap helps to prioritise efforts to achieve compliance, establish milestones, lower the risk of cardholder data breaches sooner in the compliance process, and helps acquirers objectively measure compliance activities and risk reduction by merchants, service providers, and others. The Prioritized Approach was devised after factoring data from actual breaches”.

The Prioritised Approach helps address risks in priority order; it follows a pragmatic approach that allows for ‘quick wins’; it supports financial and operational planning; it promotes objective and measurable progress indicators; and it helps promote consistency between assessors.

Below are the six milestones in the Prioritised Approach according to the official document.

1. Remove sensitive authentication data and limit data retention.

This milestone targets a key area of risk for entities that have been compromised. Remember – if sensitive authentication data and other cardholder data are not stored, the effects of a compromise will be greatly reduced. If you don’t need it, don’t store it.

2. Protect systems and networks, and be prepared to respond to a system breach.

This milestone targets controls for points of access to most compromises, and the processes for responding.

3. Secure payment card applications.

This milestone targets controls for applications, application processes, and application servers. Weaknesses in these areas offer easy prey for compromising systems and obtaining access to cardholder data.

4. Monitor and control access to your systems.

Controls for this milestone allow you to detect the who, what, when, and how concerning who is accessing your network and cardholder data environment.

5. Protect stored cardholder data.

For those organisations that have analysed their business processes and determined that they must store Primary Account Numbers, Milestone Five targets key protection mechanisms for that stored data.

6. Finalise remaining compliance efforts, and ensure all controls are in place.

The intent of Milestone Six is to complete PCI DSS requirements, and to finalise all remaining related policies, procedures, and processes needed to protect the cardholder data environment.

The Prioritised Approach can help to identify targets at the greatest risk, creates a common language around PCI DSS implementation and assessment efforts, and enables organisations to demonstrate continual progress on compliance processes.

The PCI Security Standards Council has also issued a handy Excel spreadsheet tool that can be used when following the Prioritised Approach.

Whether your organisation is a merchant or a service provider, IT Governance’s QSA-approved consultancy services can help you to improve your cyber security and comply with the contractual requirements of the PCI DSS in the shortest timeframe and for the minimum cost.

PCI-DSS-Environment-Banner (2)