Are you ready for the new PCI DSS standard?
Are you ready for the new PCI DSS standard? We show you how in 4 clear steps
The deadline is looming. On 31st October, 2016 the Payment Card Industry Data Security Standard (PCI DSS) 3.1 will expire. From this date, you’ll need to follow PCI DSS 3.2 with a 1st Feb 2018 full compliance deadline. Since the release of PCI DSS 3.2, many organisations have started bringing in the required security and compliance changes. On the other hand, those that are still not compliant with PCI DSS 3.1 have become soft targets for malicious attackers.
Whether you seek professional help or use internal resources to become PCI compliant, understanding the process and planning your approach is essential. Here we break it down into 4 clear steps.
1. Document all operations
Keep a track record of all your policies and procedures, and all decisions made during the normal course of business operations. This information may help you and your employees to diagnose and rectify any issues that emerge. Feedback on decisions made will guide whether or not to try a different response if similar problems occur in future.
Documentation helps you
- Identify existing security issues in your organisation.
- Increase the uniformity and quality of your compliance process.
- Ensure absolute accountability by serving as a standardised reference.
- Stay secure every step of the way when you document the entire PCI DSS process.
2. Assess the scope
Save time by assessing scope right from the outset. Scope includes all people, processes and components that are directly or indirectly involved in storing, processing or transmitting cardholder data. Determining scope lets you fully protect all areas where cardholder information may lie. We recommend a cardholder data flow diagram for all entities, inputs and outputs to illustrate precisely where and how your data is stored, received or transmitted.
Scope assessment helps you
- Save time achieving PCI DSS compliance certification.
- Utilise resources more efficiently for greater return on investment.
- Reduce complexity and cost by only implementing the controls you actually need.
- Develop the groundwork for remediation planning.
- Identify and protect all cardholder data, resulting in greater customer satisfaction.
It is also good practice to reduce your scope of PCI DSS, which will minimise your PCI compliant areas. This can be achieved through network segmentation, in which cardholder data is separated from rest of the business network.
3. Train your staff
It’s essential to train staff about the importance of information security. Studies show that 60% of data breaches are due to negligence by employees or corporate partners. Many employees, although they may be aware of information sensitivity, are not vigilant enough when handling data.
Training should be specific to each employee’s role. Monthly training is the minimum to keep staff in touch with security requirements at all times. Constant reminders help people retain essential information. Create a means of accountability for employees in the event of a security breach. This will encourage staff vigilance and thereby protect your business and customer information.
Security awareness training helps you
- Protect organisational assets by preparing staff to respond to real and potential security threats, and keeping them up to date on new risks as they emerge.
- Boost employee morale by rewarding and recognizing employees who show good security behaviour in times of need and otherwise.
- Save financial and reputational costs by minimising the number of security breaches. The sooner an incident gets identified, the less costly will it be to remediate.
4. Hire an expert
Consulting a professional, such as a Qualified Security Assessor (QSA), is a good way to ensure you that you don’t miss any information security loopholes. Even if you are already compliant, it is good practice to have a QSA support you through updates such as PCI DSS 3.2.
Security professionals undergo rigorous training to master all aspects of PCI DSS and information security. They have the skill and experience to help you achieve compliance easily and efficiently. QSA merchant services include: PCI Audits, onsite Data Security Assessments, Gap Analysis, PCI Remediation Services and any general PCI advice needed.
Do-it-yourself vs professional advice, the pros and cons.
Do it yourself
- Lower cost (on paper)
- Taking staff away from more strategic tasks
- Covers all key areas and controls
- Third party validation
- Complete solution at the hands of experienced professionals.
- Peace of mind
- Unbiased recommendations free of internal disagreements
- Experience working in companies and industries similar to yours.
- Higher cost (on paper)
- Liability still rests with you, not the QSA
Whether you decide to pursue PCI compliance yourself, or to hire an expert, it’s important to plan ahead for the expiry of version PCI DSS 3.1 and start working towards compliance with PCI DSS 3.2.
Contact Stickman for more guidance on the right direction for your organisation – 1800 785 626.