May 24, 2024

How to be PCI Compliant in 5 steps

Jose Alvarado

Author
Jose Alvarado

Table of Contents

Overview
How to be PCI Compliant in 5 steps
WHO is asking you for your compliance?
WHAT needs to be compliant?
WHAT PCI requirements apply to you?
WHAT do we have and WHAT do we need to be compliant?
WHO will attest to your compliance?

Overview

The Payment Card Industry Security Standards Council (PCI SSC) is an information security standard used to handle credit cards from major card brands, which developed the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS compliance covers 12 requirement domains and is the highest “Level” of compliance one may need. If your bank, partner, acquirer, or card brand does not ask for PCI DSS compliance you may just need to complete a Self-Assessment Questionnaire (SAQ) to be compliant.

Why is it important: Banks, partners, acquirers, and/or card brands care about your PCI Compliance because organizations who process card holder data (your credit card information) must ensure your credit card information is secured, if these organizations are compromised, threat actors could charge your credit cards and debit cards with fraudulent charges.


How to be PCI Compliant in 5 steps

WHO is asking you for your compliance?

  • First, understand who is asking for your Attestation of Compliance for PCI. If it is a requirement for doing business, ask the requestor for reasons of compliance. Many organizations jump into compliance without needing to be compliant, thus leading to unnecessary spending (Always invest in security where highest risks not just for compliance).

WHAT needs to be compliant?

  • Scoping your Environment, PCI is not a single approach. To become compliant, you must first understand what needs to be compliant and what systems fall in the scope of PCI requirements.

WHAT PCI requirements apply to you?

  • Once you understand your scope, next we will identify what requirements apply to your organization. One great approach is to consider all requirements as “required”, then justify WHY they aren’t needed, having a list of reasons why a requirement doesn’t apply goes a long way during an audit.

WHAT do we have and WHAT do we need to be compliant?

  • A Gap assessment, this is when you work with a cybersecurity professional who understands the PCI framework to properly build controls that meet requirements as well as build policies and documents required for PCI.
  • The gap assessment uses your scope (identified in step 2) and requirement listing (identified in step 3) to compare your current organization’s security posture against the PCI DSS framework, this process helps you understand what’s in place that applies to the PCI DSS framework and what needs to be implemented to be compliant.

WHO will attest to your compliance?

  • Finally, a Qualified Security Auditor Company (QSAC) is an organization that can audit your card data environment and provide an Attestation of Compliance and a ROC (if applicable).

Leave a Reply

Your email address will not be published. Required fields are marked *