Your Boss comes to you and says
“We need to be PCI DSS compliant by tomorrow and I’m assigning you as the compliance manager.”
Your first thought might be, “what is PCI compliance?” or “why has god forsaken me?” Both are reasonable responses. But neither will get you compliant.
Well fear not. Below is a very high-level idea of what you can expect along with links to further resources:
1. Get familiar with what PCI is all about. High level: PCI-DSS is a security framework the major credit card brands created to ensure businesses that store, process and/or transmit credit card data are meeting a baseline of security controls.
2. Check out the PCI website https://www.pcisecuritystandards.org . Here you will find all the resources you might need in your compliance journey. Specifically, the documents library will be your best friend https://www.pcisecuritystandards.org/document_library
3. Once you’ve gotten an idea about PCI and the requirements, the next step is to determine what level you are. There are 4 levels, with level 1 being a company that stores, processes and/or transmits large numbers of credit cards. If you are a merchant, you should contact your acquiring bank to determine your level. If you are a service provider you need to determine how many credit cards you store, process and/or transmit annually. If it’s more than 300,000, you are considered a level 1 service provider.
4. If you determine that your company/organization is a level 1 merchant and/or service provider, you must have a PCI Qualified Security Assessor (QSA) come on-site and perform a PCI-DSS assessment. Depending on your environment setup though, you may be eligible for a self assessment questionnaire (SAQ). These forms can be filled out by an authorized individual at your company and submitted as proof of compliance. The “Understanding SAQs for PCI DSS” document within https://www.pcisecuritystandards.org/document_library?category=saqs#results outlines PCI SAQs.
5. If you have any other questions it is advised to reach out to a QSA firm or other information security management company to discuss what your options are and to clarify any questions you might have about how PCI-DSS applies to your specific environment.
If you do decide to contact a QSA firm, here are some tips to save you time and money:
- Take inventory of every system in your network. This is critical as it will be used by yourself and a QSA to determine what is “in-scope” vs. “out-of-scope”.
- Create a credit card data-flow diagram. This diagram is not only required for PCI-DSS compliance, but will assist you and the QSA in determining where credit card data is being stored, processes and/or transmitted.
- Stay patient. Undergoing a PCI-DSS assessment can be very stressful, especially if it is your first time. Your QSA will ask a lot of questions that you may or may not know the answer to. You need to keep in mind that it is not an attack or criticism, it only means that the QSA has no idea of how your network is setup and needs you to show them.
Author: R. Scott Pierangelo MSCS, CISSP, PCIP, QSA, CISA
Silent Storm Security | Founding Partner