The Payment Card Industry Data Security Standard (PCI DSS) is required by contract for those handling cardholder data, whether you are a startup or a global enterprise.
Your business must be compliant at all times, and your compliance must be validated annually. You must also comply with every one of the PCI CSS controls that applies to you, or, failing that, implement compensating controls that achieve the same intent as the original control.
While PCI DSS compliance is detailed and complex, it’s certainly achievable. And if you do it well, you can achieve compliance without a huge impact on your business.
Here are five tips for becoming and ensuring your business stays PCI DSS compliant:
1. Minimize your scope
The more assets that need to comply with PCI DSS, the more difficult it is to manage them. The first thing you can do to move closer towards PCI DSS compliance is to reduce the scope of compliance to be as small as possible.
The scope for PCI DSS compliance includes the people, process and technologies that store, process or transmit cardholder data. It also includes anything connected to those systems, and any other systems that are relied upon to maintain security and compliance.
To reduce your scope, separate devices that need to be in-scope from those that do not so that they are not ‘connected’. This is called segmentation.
You can do this by installing and maintaining a firewall, configurated to isolate devices handling cardholder data from those that do not.
Compliance becomes much more manageable and less of a burden to your business when you can minimize your scope.
2. Outsource and eliminate as much cardholder data handling as you can
PCI DSS compliance can involve many layers of policies, processes, procedures, and standards — all which are different. Because of the complexity of maintaining your organization’s compliance and documentation, we recommended moving responsibility to third parties whenever possible.
There’s an entire ecosystem of vendors that will take over your card data handling - they have already achieved their compliance and validation. If you can use a service provider to process transactions and simply give you the money, outsource it.
If you don’t need to store it, then don’t.
3. Use point-to-point encryption and tokenization wherever possible
PCI point-to-point encryption standard (P2PE) and PCI token service provider security requirements are additional standards designed to address specific areas of cardholder security that are not addressed directly by the core PCI DSS standard.
Both are additional ways to reduce your scope:
Point-to-Point Encryption
This method works by encryption of payment cardholder data at the point of capture and secure management of the encryption tunnel back to the payment processor. P2PE normally allows a pin pad to be considered isolated, so it doesn’t suck the rest of the infrastructure into scope.
Think of it as a compliance tunnel from the point-of-sale to the bank. By using P2PE-certified solutions, you can take entire network segments out of scope.
Note that the entire end-to-end solution needs to be P2PE certified, it’s not just a type of pin pad. Check on the council’s website for a list of approved solutions. If the solution is not there, even if it supports end to end encryption, it will not be sufficient to automatically reduce scope.
Tokenization
Tokenization replaces primary account numbers (PANs) with an alternative or surrogate value. In this way, your external service provider stores the card data. Every time the merchant needs to make a transaction, you get a token, not a credit card number, making it safe from hackers. Each token is only valid at one merchant - so there is no point in stealing it.
With tokenization, you can retain the ability to charge a card without needing to store card data.
4. Understand that PCI DSS compliance is not an IT issue
Some companies make the mistake of dumping responsibility for PCI DSS compliance onto their Information Technology department. However, IT should not and cannot be the sole owner of this responsibility.
PCI DSS compliance matters involve collaboration across many internal departments, including human resources (HR), business process owners, research and development (R&D), legal, etc.
For instance, HR may take ownership of maintaining the policies, process, procedures and standards around background checks, while R&D, legal, and other departments will have their own security responsibilities to maintain and enforce.
Additionally, PCI DSS compliance requires executive-level sponsorship and leadership to maintain. By uniting your teams and educating them on their role in the PCI DSS equation, you are empowering your business to collaborate on your compliance initiative.
5. If you’re not yet compliant, take a phased approach to becoming compliant
Big changes don’t happen overnight. PCI DSS provides six security milestones for prioritizing compliance efforts. This structured prioritized approach is a pragmatic approach to give your business “quick wins” along the road to compliance, and it’s a clear roadmap you can use to address its risks in order of priority.
Through this phased approach, you will address the following milestones:
- Remove sensitive authentication data and limit data retention.
- Protect systems and networks, and be prepared to respond to a system breach.
- Secure payment card applications.
- Monitor and control access to your systems.
- Protect stored cardholder data.
- Finalize remaining compliance efforts, and ensure all controls are in place.
The PCI Security Standards Council details its requirements here, but each item needs to be interpreted in the context of the larger compliance landscape and information from the rest of the council’s publications, FAQs and training.
A trusted specialist can help you tackle each milestone in a set timeline to reach your compliance goals.
Expert Assistance from Start to Finish
There are a number of requirements to achieve PCI DSS compliance. Even with all the resources and help at your fingertips, it can be complex to digest and difficult to execute on.
Our specialists are here to help. Explore our PCI DSS QSA assessment services and achieve and maintain compliance with ease.