In our last post, we discussed the 6 reasons why you should comply with the PCI DSS Standard. Following on from that, here are 8 steps that you need to take in order to obtain your PCI DSS compliance.
Before we start, it is important to recognise that PCI is not a once off exercise that you go through, finish and then forget about. The agreed standards are there to influence all of your projects going forward and should permeate throughout your organisation.
From the outset it is also important to recognise that a great deal of work will be needed to establish documented standards appropriate to your organisation. Those standards need to:
- be approved by your senior management,
- be reviewed regularly and
- be tested and approved by your chosen Qualified Security Assessor (QSA).
To get to such a point, we suggest that you carry out the following 8 steps to ensure your PCI compliance:
8 Steps to PCI Compliance
- Get buy-in from your senior management.
- Find a Qualified Security Assessor (QSA) that you feel that you can work with.
- Determine your Budget.
- Discover and understand the PCI standards.
- Reduce your scope.
- Challenge where you need to.
- Ensure that you are organised.
- Communicate with all stakeholders.
Here are the 8 steps described in greater detail:
1. Get buy-in from your senior management.
When the topic of PCI arises at board level, C-level senior executives sometimes believe that the initiative is being driven by the IT department, rather than by the payment industry and your acquirer. Your acquirer is the entity that you use to authorise your payments and is most often your bank.
It is important that you highlight the importance of obtaining PCI DSS compliance to your senior management team at this early stage, ensuring that they are aware of the risks involved if you do not comply.
By bringing your senior management along on your PCI journey, they will better understand the importance of PCI DSS compliance and will be better placed to add their input when needed. By recognising and appreciating the role and buy in needed from your entire organisation, they can become PCI champions, ensure that obstacles are hurdled and results are delivered.
2. Find a Qualified Security Assessor (QSA) that you feel that you can work with.
There are wide range of Qualified Security Assessors who work with different types and sizes of organisation. You can find potential candidates on the PCI council website, or get recommendations from your IT Services provider or other trusted third parties.
It is vital that you take the time to meet with your various QSA options to better understand their specific skills and expertise in your market. As you will be working so closely with your QSA to deliver on your PCI compliance, it is essential that you look beyond their quote to ensure that you feel that you can work well together, even when under pressure.
Choosing the right QSA for your needs is similar to carrying out job interviews, where you are looking for the right person, with the right skill set who you feel would be a fit for your organisational culture.
There will be a lot of PCI related challenges that you will have to face together, so it is important that both you and your chosen QSA feel comfortable with, understand and trust each other from the start.
3. Determine your Budget.
In association with your chosen QSA, it is important that you identify the potential costs of obtaining PCI compliance for your organisation, taking into consideration your specific circumstances. Elements to consider are QSA consultancy fees, IT Services changes, the time needed by your team to provide input, time and budgets for training etc. For example, you may also find that you need certain roles back filled by contractors while your team helps with your PCI compliance, so it is important that you budget for such eventualities.
4. Discover and understand the PCI standards.
It is vital that you discover and understand the PCI standards from an early stage. That way you can better engage with your QSA and get up to speed as quickly as possible.
The PCI Security Standards Council provides a great deal of useful information in their document library. You may, for example, have multiple SAQs (Self Assessment Questionnaire) to complete. Most merchants will need to complete SAQ-C (“Merchants with Payment Application Systems Connected to the Internet – No Electronic Cardholder Data Storage”), but if you have an e-commerce environment you may also need to complete SAQ-A.
5. Reduce your scope.
Having taking the time to understand the PCI standards, it is wise to look to reduce the scope of you project as much as possible. Along with “network segmentation”, “scope reduction” will allow you to reduce your compliance burden and minimise the risk of designing your network in such a way that only defined source and destination TCP/IP address and ports are allowed to transit between network segments. As an example, your payment card devices and associated data traffic should not be accessible from elsewhere on your network.
By engaging with your network service provider to review your network design, you can work together to establish how you can implement segmentation to isolate your cardholder data environment, minimising the impact that PCI compliance would have on your environment.
6. Challenge where you need to.
Some of the standards that you are expected to meet may appear to be illogical when you get “under the hood” of your cardholder data environment. Take your QSAs advice and approach your acquirer together to challenge any specific areas that you feel that you need to. You will need to show evidence of your environment, steps you are taking to mitigate any risk, as well as any future plans to deploy new technology or processes.
7. Ensure that you are organised.
Due to the complexity of many PCI DSS compliance journeys, it goes without saying that you need to be organised. It is often wise to create a ‘PCI task force’ to help share your work load. It is worth finding out if anyone in your organisation has any experience and look to get them involved in your team as their knowledge will be invaluable. You may also wish to introduce a project manager to help you keep the project on track, with many hands making light work, ensuring that you can deliver your SAQ’s to your acquirer in good time.
8. Communicate with all stakeholders.
Acquirers and card brands like to know what is going on with all of their merchants for PCI. This is especially true when a merchant is commencing their PCI journey. The schemes (starting with Mastercard and Visa) require their members (acquirers) submit quarterly reports on the compliance status of merchants (you) that accept card payments.
Each quarter you might be prompted to submit a report showing your progress towards compliance, measured in milestones, outlining how many objectives of the objectives that you have met. It is therefore important to plan your PCI project around these milestones and update your PCI DSS Compliance report accordingly.
Additionally, you will have to communicate your progress with your senior management and your colleagues, ensuring that everyone knows where you are on your journey and knows how they can help.
With such a large number of customers in retail, restaurants and hospitality, we have had the pleasure of working with a variety of QSA’s to ensure that our customers attain their PCI DSS compliance with a minimum of fuss.
Contact us on 0333 123 0360 or contact us online to engage with us and benefit from our extensive knowledge,which will help ensure that your PCI DSS journey is as pain free as possible.