//

Top Tips to Improve PCI DSS Compliance

    • Home
    • Blog
    • Top Tips to Improve PCI DSS Compliance

Top Tips to Improve PCI DSS Compliance

Top tips for PCI DSS compliance with 3SCWorld

PCI DSS Compliance, also popularly known as PCI or PCI Compliance, is a security standard put in place by the Payment Card Industry Security Standards Council (PCI SSC). The standard lists twelve overarching requirements which, if observed by all credit card users, can help reduce credit card fraud and ultimately, better protect the cardholders.
According to Rodolphe Simonetti, the managing director at Verizon Enterprise Solutions, the increase in high profile data breaches is partly caused by failure to fully comply with PCI DSS. In a recent PCI compliance report released by Verizon, Mr. Simonetti encourages businesses to embed compliance in normal business processes arguing that “it should be a year-round activity.” Referring to the latest victims of major data breaches, he states that none of the companies were fully compliant at the time of the breach, noting that it has become a trend for companies to stop complying just a few weeks after the assessment. In other words, the first step in compliance is to always be compliant.

Verizon’s PCI Security compiles a list of four practices that that can help you keep your organization PCI compliant.

1. Think of compliance differently

Mr. Simonetti advises that you should view PCI DSS as the basic minimum standard for whatever security efforts you engage in. However, the standard must also be treated not as the blueprint of security, but as one piece of the wider jigsaw. So, PCI shouldn’t be the checklist; it should be a part of the checklist. The best way to do this, according to Mr. Simonetti, is to put your PCI compliance strategy within the company’s Governance, Risk, and Compliance (GRC) strategy.

2. Make PCI DSS compliance sustainable

One reason why so many organizations can’t remain compliant is because they never set up to be compliant. Many times, companies treat PCI compliance as a goal that once achieved can be checked off. This, often causes these companies to lapse in compliance within a short time after compliance. Considering that it takes just a few minutes on a new uncontrolled Wi-Fi access point to break into a database, this lapse in concentration is simply not allowable. Compliance shouldn’t be just about technology; it should involve the whole business and requires staff education.

3. View compliance as a challenge

The compliance process is not easy and so must it be treated. You’ll be transmitting, processing, and storing CHD over hundreds of systems, cutting across public and private networks, and passing though hundreds to thousands of staff and customers. DSS 2.0 comes with 289 controls that must be implemented correctly; DSS 3.0 has even more controls. Simply put; to be able to comply successfully, you need to fully appreciate the challenge that comes with that compliance.

4. Use compliance as an opportunity

Yes, compliance can be hectic, however, compliance also comes with several exploitable opportunities. For example, as you map your CHD flows across systems and processes;
• You get the opportunity to consolidate your systems, which allows you to reduce scope while you cut on costs associated with software licensing and maintenance.
• You’ll be able to rationalize your list of suppliers.
• You can identify, streamline, and transform outdated processes often resulting in reduced staffing.
• You’ll be able to identify holes and apply required patches consequently improving uptime and system performance.

Summary

PCI DSS Compliance poses a challenge for all organizations – big and small. In addition to the tips listed above, you should try to minimize the amount of data you need to protect.

One Response to “Top Tips to Improve PCI DSS Compliance”

  1. Charles Denyer 12/15/2014 at 9:32 pm Permalink

    Great article and as a QSA, I can tell you that the two most challenging aspects of PCI compliance are (1). Determining which of the Self-Assessment Questionnaires (SAQ) to use (they seem to keep adding more!) and (2) developing all the mandated information security and operational policies and procedures for PCI compliance. With the introduction of SAQ A-EP, the laundry list of SAQ documents keeps getting longer and complex. Additionally, if you look at the actual PCI standards, there’s literally dozens of mandated policies and procedures that must be in place for both merchants and service providers. Luckily, you can find free and cost-effective templates online for download. And don’t forget that security awareness training is also mandated, which is highly essential for not just compliance with PCI, but from an information security best practices perspective.

Leave a Reply