Complying with the Payment Card Industry Data Security Standard (PCI DSS)
can be complicated, not least due to the self-assessment process the majority of merchants have to go through. One of the challenges PCI DSS implementers face at the very beginning of the project is scoping their organisation’s payment card environment.
In a recent blog post
, PCI Qualified Security Assessor, and a Senior Consultant at IT Governance
, Geraint Williams, said, “Accurately mapping the flow of card data through your organisation is the key to getting your scope right. You need to consider all the different areas within your organisation, plus all instances where data is sent out to external service providers too. Once you have an accurate scope, putting appropriate procedures and processes in place to ensure compliance is relatively easy.”
Reviewing existing policies, procedures, network architecture, software and protective measures is also an essential part of compliance according to Geraint Williams.
Whilst the PCI Security Standards Council has provided guidance on the things organisations need to do in order to achieve and maintain compliance, implementers still need to understand how to implement these recommendations.
In many cases, organisations have difficulties getting their policies and procedures right, that may then lead to non-compliance. The PCI DSS Documentation Compliance Toolkit
for example provides all the documentation templates for all the mandatory PCI DSS policies. It is particularly useful for level 2, 3 and 4 merchants and can easily be incorporated with ISO 27001.
The toolkit is available to download for just £249.95 - less than a one day consultancy fee - from www.itgovernance.co.uk/shop/p-1011.aspx