Meeting PCI DSS is a complex, ongoing effort that requires clear commitment and direction from an organization’s executive level on down and can’t be relegated to merely an IT or compliance department problem. One of the most challenging aspects of PCI DSS is clearly identifying the scope of the environment: the scope is any network segment, facility or process that stores, processes or transmits payment card data or anything that connects to or affects the security of systems or networks that store, process or transmit.
Without careful network segmentation, PCI DSS scope could extend to include significant portions of a businesses’ network and systems.
The requirements themselves address governance and documentation, such as policies and risk assessment, as well as processes like user or vulnerability management and technologies such as system hardening or cryptography and key management.
When addressing your PCI DSS compliance obligations, here are the three strategies to get started:
- Plan ahead – PCI DSS compliance cannot usually be achieved in days or weeks, but takes extensive cooperation throughout the organization and extensive effort.
- Understand the scope – Scope is often larger than other compliance frameworks like SOC 2 or ISO 27001, and many organizations don’t take the time to understand all of the locations that handle payment data or the environments that have access.
- Bring in expert help early – A complex compliance framework like this contains many corner cases and troublesome areas, and experienced assessors (called Qualified Security Assessors or QSAs) can help navigate some of the challenges. Get help in the form of readiness or gap assessment before engaging with PCI DSS the first time before undergoing actual assessment.
Ready to get started?
The information provided here is for general guidance only, and does not constitute the provision of tax advice, accounting services, investment advice, legal advice, or professional consulting of any kind. The information provided herein should not be used as a substitute for consultation with professional tax, accounting, legal or other competent advisers.