Payment Card Industry

Payment Card Industry

The Payment Card Industry Data Security Standard applies to all entities, that are storing, processing or transmitting cardholder data. Being compliant may be mandatory to be able provide or operate electronic payment services.

PCI standards and requirements are changing, and PCI Security Council is frequently issuing new different standards and guidance documents. IT infrastructure and IT technologies and services are quickly changing and migrating into different environments. More third-party service providers are part of your business.

25%

of most common types of data breaches targeted were card-not-present data in 2018

because it is very easy to monetize them

260+

requirements in PCI DSS

usually need real experts to understand it

Standard process of implementing PCI DSS compliance program

First is important to know and understand for whom the PCI DSS is intended, why it was created, what is the meaning of all the requirements and which part of the infrastructure, processes and organization departments it is related to.

The standard should not be relevant for whole entity that should be compliant. To efficiently implement all required controls, it is necessary to know which system components are classified as in scope and which are not. It is also important to distinguish between cardholder data environment (CDE) and connected systems, because some requirements are applicable for CDE only and some are applicable for all system components in scope.

It is not surprising, that the more system components are in scope, the higher cost for implementing and keeping PCI DSS compliance is, therefore efficient reduction of cardholder data environment can significantly reduce costs and time needed to implement all measures to fulfill all applicable requirements.

To implement all the controls, gaps must be identified. This is goal of the gap analysis. The gap analysis must cover all the areas that are in CDE scope. To be able to define action plans, the gap analysis output should be split between all the teams that are included in scope. Output of gap analysis is also input for action plans.

When the gaps are identified, action plans to fix them must be defined and it must be clear who will be responsible for their implementation. If the action plans are properly defined, costs and time needed for PCI DSS compliance implementation can be evaluated.

After the plans are defined and approved, it is necessary to make them alive. To be fully compliant, roles must be created and assigned, documentation like policies, configuration standards and operation procedures must be prepared, processes must be defined and technical security controls must be create. To be able to prove the compliance fulfillment, evidence records must be gathered.

Implementing all the measures is just the starting point, because compliance is continuous process that should be part of daily business activities including  several regular security checks like wireless & vulnerability scans, penetration test, firewall reviews, etc. Fulfillment of all these process and technical controls must be  also regularly  reviewed.

Questions you need to know answer for

Do we need to be compliant with PCI DSS?

What other PCI standard are applicable for us?

How to define cardholder data environment (CDE) scope?

Which requirements are applicable for us?

Can our service providers impact our compliance?

When we have to comply with the newly issued PCI DSS requirements?

How are changes in our business affecting the compliance?

Would be the evidence we have sufficient for an auditor?