A guide to practical PCI compliance

Myriad merchants find themselves at the end of the PCI compliance barrel and are spending significant amounts of time, money and effort in achieving PCI compliance. Advice from companies that have been there can help smooth your path.

One of the biggest mistakes organizations make is jumping into their PCI remediation effort without first understanding their company's gaps. It's crucial to realize that every organization has a different maturity level when it comes to technology and compliance. Without first knowing what level you are at, taking a "one size fits all" approach to fixing PCI will spell disaster.

A pre-compliance assessment is imperative and enables you to understand what your PCI compliance effort will entail. The output is a document identifying gaps between your current state and what the PCI DSS (Data Security Standard) requirements necessitate.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Myriad merchants find themselves at the end of the PCI compliance barrel and are spending significant amounts of time, money and effort in achieving PCI compliance. Advice from companies that have been there can help smooth your path.

One of the biggest mistakes organizations make is jumping into their PCI remediation effort without first understanding their company's gaps. It's crucial to realize that every organization has a different maturity level when it comes to technology and compliance. Without first knowing what level you are at, taking a "one size fits all" approach to fixing PCI will spell disaster.

A pre-compliance assessment is imperative and enables you to understand what your PCI compliance effort will entail. The output is a document identifying gaps between your current state and what the PCI DSS (Data Security Standard) requirements necessitate.

Some of the items covered in the pre-compliance assessment include:

-- Review of IT infrastructure; PCI-relevant application architecture, policies, procedures and processes; overall network design
-- Gap analysis
-- Network vulnerability scanning
-- Risk analysis
-- Mapping business flows to technology flows

Determine your current state by completing the PCI Self-Assessment Questionnaire (SAQ) from the PCI Security Standards Council. The SAQ is divided into six sections focusing on a specific area of security. After completing the SAQ, you will have a good idea of which controls and tools are in are in place.

Cross-Organizational Interaction

PCI requires the whole organization to play nicely together; too many organizations have different IT groups that have developed their own fiefdoms and act in semi-autonomous states. PCI doesn't support such an approach--it requires different groups to collaborate whether they like it or not.

Success with PCI is dependant on how the numerous groups work together and maintain reasonable expectations. How well this is executed has a direct impact on compliance. The best way to ensure understanding is to set effective ground rules at the beginning of the compliance effort.

Vendor Remediation Support

Your organization has older software and hardware that isn't PCI-compliant. Similar to preparing for Y2K, getting vendors to ensure their products comply with PCI can be a significant issue. How much of an issue depends on your importance to the vendor and the importance of PCI to the vendor.

If you find that your vendor is not PCI compliant and you need an alternative solution, the PCI Security Vendor Alliance (SVA) is a good resource to check. The SVA assists the payment card industry by providing products and services that enable organizations to achieve compliance with the PCI DSS.

PCI Project Manager

Appointing an internal project manager (PM) assists in PCI efforts. The benefit is that one internal point of contact can own the project and be responsible for ensuring its success. The appointed individual can only be as successful as the support they have been afforded. Without senior management support, the process of acquiring additional money and resources to address assessment findings will take significantly longer and cost more than necessary. Additionally, PCI-imposed changes to IT infrastructure and business process requires the full support of mid-level managers and the in-house expertise of senior and junior technical personnel.