PCI DSS Project Planning Guidance & TipsPublished November 26, 2020 by Tricia Scherer • 3 min read
As businesses mature and expand, their data security responsibilities grow as well. Of particular concern to many organizations is PCI DSS: the Payment Card Industry Data Security Standard for processing payment card data.
That should be no surprise. Growth brings complexity within the organization and with the relationships, your business had with third parties. To control that complexity and mitigate risks that could potentially lead to catastrophic business disruption, organizations need to cultivate awareness of PCI within their business and maintain compliance with the standard. Your ability to keep processing payment card transactions depends on it.
We’ve developed this guide to help you ensure that you can support your growth by building a strong foundation geared toward PCI compliance, and ultimately, safe, trustworthy transactions with your customers.
In this post, we’ll cover:
- What’s required for PCI compliance
- How to plan PCI compliance implementation
- How to test your PCI compliance
PCI DSS Project Plan
Before getting into the details of a PCI compliance project plan, let’s begin by reviewing the compliance requirements for the PCI Data Security Standard.
What is required for PCI compliance?
- Protect cardholder data by installing and managing a firewall.
- Use custom passwords and information security policies instead of any default settings provided by vendors.
- Implement safeguards to protect stored credit card information.
- Encrypt any payment card data that is transmitted over open, public networks.
- Install anti-virus software as a means of vulnerability management.
- Build and maintain systems and applications that provide a secure cardholder data environment.
- Limit the chance for non-compliance by keeping cardholder data access restricted.
- Give any users acquiring bank information and cardholder data unique identifiers.
- Restrict onsite physical access to cardholder data.
- Log any access to cardholder data as a means for maintaining compliance.
- Ensure systems are PCI-compliant by running routine compliance testing.
- Create data protection policies throughout your business to address information security.
Given those PCI DSS requirements, how can you go about implementing a comprehensive approach for moving your entire organization toward PCI compliance?
How do you manage PCI compliance implementation?
The importance of obtaining and maintaining PCI compliance can’t be understated. The major credit card brands—Visa, MasterCard, Discover, and American Express—all require compliance, and any merchants that experience a breach can be subject to fines, card replacement fees, and other costs associated with forensic audits.
With numerous payment options, complex network infrastructures, and multiple third-party merchant services involved, it’s only logical to embed these security measures into all facets of your business needs.
You can begin with these best practices as dictated by the PCI Security Standards Council, which provides an excellent roadmap to compliance.
- STEP 1: Begin with a risk management audit of all of the cardholder data you are responsible for, your payment processing service providers, and your business processes. Perform a gap analysis to identify areas of vulnerability that could risk exposure of sensitive data.
- STEP 2: Go through each vulnerability one by one and remediate the vulnerabilities in order of risk severity. If possible, you want to avoid storing cardholder data entirely. Instead, opt for storing this data with a qualified external provider. This is the quickest way to achieve PCI compliance.
- STEP 3: Report your compliance, including all documentation of remediated vulnerabilities, to the relevant banks and credit card companies that you do business with.
How do you test PCI compliance?
To ensure that you’re meeting all the necessary guidelines for PCI compliance, you can appoint a project manager or a QSA (Qualified Security Assessor) to provide attestation to your compliance through a Self Assessment Questionnaire (SAQ).
You must test each one of the controls and vulnerability fixes, and collect evidence that each is working as it should. We recommend performing these tests routinely to ensure that compliance is maintained since non-compliance can occur over time under lax supervision.
Compliance will be determined based on your entire payment transaction lifecycle. That includes the point-of-sale system, the application that processes payment information, where and how the information is stored, the security of the routers transmitting the information, how the data is encrypted, and more.
To achieve PCI DSS compliance, organizations must embed a defined set of security measures into all aspects of their business.
To meet these requirements, we recommend starting with an audit of your systems and processes, plus an inventory of all the cardholder data your organization is responsible for. Then perform a risk assessment to find areas where you lack the proper security protocols to protect sensitive data, and fill those holes.
Furthermore, we recommend frequent monitoring and testing to ensure that these high standards are upheld over the long term, to avoid any chance for catastrophic data loss and significant financial penalties.
If you’d like help building a foundation of information security throughout your organization, and ensuring that you can obtain and maintain compliance with PCI DSS, please fill out the form below and we’ll reach out to discuss how we can partner together.