Payment Card Industry
The Payment Card Industry Data Security Standard applies to all entities, that are storing, processing or transmitting cardholder data. Being compliant may be mandatory to be able provide or operate electronic payment services.
Standard process of implementing PCI DSS compliance program
First is important to know and understand for whom the PCI DSS is intended, why it was created, what is the meaning of all the requirements and which part of the infrastructure, processes and organization departments it is related to.
The standard should not be relevant for whole entity that should be compliant. To efficiently implement all required controls, it is necessary to know which system components are classified as in scope and which are not. It is also important to distinguish between cardholder data environment (CDE) and connected systems, because some requirements are applicable for CDE only and some are applicable for all system components in scope.
It is not surprising, that the more system components are in scope, the higher cost for implementing and keeping PCI DSS compliance is, therefore efficient reduction of cardholder data environment can significantly reduce costs and time needed to implement all measures to fulfill all applicable requirements.
To implement all the controls, gaps must be identified. This is goal of the gap analysis. The gap analysis must cover all the areas that are in CDE scope. To be able to define action plans, the gap analysis output should be split between all the teams that are included in scope. Output of gap analysis is also input for action plans.
When the gaps are identified, action plans to fix them must be defined and it must be clear who will be responsible for their implementation. If the action plans are properly defined, costs and time needed for PCI DSS compliance implementation can be evaluated.
After the plans are defined and approved, it is necessary to make them alive. To be fully compliant, roles must be created and assigned, documentation like policies, configuration standards and operation procedures must be prepared, processes must be defined and technical security controls must be create. To be able to prove the compliance fulfillment, evidence records must be gathered.
Implementing all the measures is just the starting point, because compliance is continuous process that should be part of daily business activities including several regular security checks like wireless & vulnerability scans, penetration test, firewall reviews, etc. Fulfillment of all these process and technical controls must be also regularly reviewed.
