Learn 5 basic practices to get PCI compliant, even if you're new to PCI or a compliance veteran.
Whether you’re new to PCI or a compliance veteran, take time to review your past PCI compliance efforts and plan future PCI DSS efforts.
See also: What are the 12 requirements of PCI DSS Compliance?
Documenting your policies and actions is important since it helps employees understand what has been done, what needs to be done, and where problems still exist in your business environment. It also helps keep your security efforts organized and legitimate.
Documentation simplifies the PCI process and provides a great baseline for security training materials. By writing your policies down, you solidify plans for implementing security and for training employees. Use your plan to educate employees on your policies and procedures.
Whenever you make changes in your business’s security, have your employees document the change. It’s also good to review the documentation often (quarterly, if not monthly) to make sure no errors have been made.
If you document everything throughout your PCI DSS process, you’ll save time and be more secure.
It’s vital for businesses to determine what is ‘in-scope,’ which means if a particular person/process/technology/component stores, processes, or transmits payment card data. If they do, or are connected to systems that do, they must be PCI DSS compliant.
See also: PCI Scope Categories: Keeping Your Card Data Separate
Some system components that may be in scope for your environment include:
You can’t protect what you don’t know. If you don’t know where your credit card data is, it’s impossible to secure it and get compliant. Create a cardholder data flow diagram for all in-scope networks. This will help you to properly understand the scope of your business by documenting where your card data is received, stored, and transmitted.
See also: PCI Consultants Say: Reduce Your Scope
Network segmentation is a good idea if you’re looking for the easiest way to reduce cost, effort, and time on getting compliant.
Network segmentation is done by physically or virtually separating environment systems that store, process, or transmit card data from those that don’t. This can be done through firewalls or physical gaps.
Segmentation can be very difficult, especially for those who don’t have a technical security background. If you do segmentation, you’ll want to have a security professional double check your work. Also remember that some SAQ types require you to do penetration testing on segmentation controls every six months and after any changes.
Did you know that employees and corporate partners are responsible for 60% of data breaches? Your employees are your weakest security link, yet many businesses don’t spend enough time to properly train their employees in security.
Create tailored security training for individual employee roles. For example, your IT director will require different training than your front desk manager. Train your employees monthly instead of yearly. Everyone learns best through repetition, and your employees will retain the training better through constant reminders.
See also: Employee Training in Data Security: What You Should Do
Remember to require policy documentation signatures annually, and consistently enforce the policy with strict sanctions. By holding your employees accountable, you can protect your business and customers more effectively.
Security experts and Qualified Security Assessors are resources that don’t get used enough. You should always consult a security professional with any update to the PCI DSS.
QSAs go through very intense training to understand everything about PCI DSS and data security. They have the technical expertise to help you through the PCI process.
If you’re a small business, you likely won’t need a PCI DSS audit, but you should still talk to a PCI professional to make sure you’re on the right path to PCI compliance. While it does require money, it will save you in the long run.
Getting compliant can be difficult, but if you take it one element at a time, you’ll soon be there. Start by creating and updating your PCI compliance program; don’t forget to add the new and revised requirements to your new/existing program.
Remember, you’re not only protecting your business, but also your customers, your employees, and your brand. The longer you wait, the longer your business could be vulnerable.
See also: The Importance of the PCI DSS: Why You Should Get Compliant
.svg)
