Checklist for PCI DSS Implementation & Certification

PCI DSS – Stringent but Exhilarating to Implement (Project PCI DSS Implementation & Certification)

PCI DSS stand for Payment Card Industry Data Security Standard is a robust, comprehensive, technology driven, transparent, explicit standard to enhanced security controls around payment card and related account data by ensuring the safe handling of card holder information at every step thereby reduce payment card frauds via its exposures.

PCI certification is a capability mandated for an organization that store, process, view, transmit critical card holder information and the organization should comply with all applicable requirements specified by PCI standard based on business, scoping and risk assessment outcome without any deviation that is what make this standard more reliable and effective.

The standard has 6 control objectives, 12 requirements and 204 sub requirements against which validation of compliance is performed annually based on scope applicability by QSA and compliance status is issued which includes – Attestation of Compliance (AOC), Report of Compliance (ROC) supported by Certification of Compliance (COC) by QSA.

The key mantra to achieve the compliance (report) without any hindrance is hidden in effective business understanding, scoping, risk assessment, pre assessment (assess) which in turn help to plan the activities seamlessly by aligning requirements with suitable technologies and processes (remediate), is applicable for new implementation as well as project under maintenance.  

In spite of having stringent requirements, I found this standard is COOL for implementation and maintenance due to clear directions which in turn boost the security effortlessly by ensuring the actual security at all level (physical security, environmental security, personnel security, fraud control  mechanism, IT & data security, data privacy, managed & monitored business environment) thereby leading to compliance. 

 

(Read more:  Top 5 Big Data Vulnerability Classes)

Key to Success

  1. Clear business understanding and proper scoping
  2. Dipstick risk assessment & stringent pre assessment followed by immediate effective remediation
  3. Effective alignment of technologies, processes with requirements
  4. Proper scoping of IT assets considering primary, secondary processing site including data center sites, if you have separate one
  5. Monitored and requirement based privileges access
  6. Treat it as yearly program with do or die concept without pushing the activities for next year for improvement
  7. Identifying and engaging proper QSA, ASV & other service providers with the capability to address your queries and needs in time
  8. Controlled and monitored environment
  9. Effective record maintenance including agreements and AMC’s
  10. Build the sustenance capability

 

Key Learning: Dos and Don’ts

Dos

  1. Do have an annual time bound program based on assess, remediate, report concept with proper governance lead by a senior empowered manager with adequate domain expertise including sound technical, managerial, strategic, analytical, negotiating and influencing skills
  2. Do build the capability among major stake holding team for implementation and sustenance by providing adequate role based training which majorly include – Risk, Security, IT, HR, Facility, Audit and End-users
  3. Do appoint a knowledge QSA or conduct self-assessment using applicable version of SAQ
  4. Do treat pre assessment and VA PT outcome with serious note and remediate ASAP
  5. Do ensure in time achievement of all milestones without any fail
  6. Do aim on achieving security while implementing or remediating, you will automatically land in to compliance
  7. Do ensure proper scope coverage considering the end to end requirements related to governance, business operations, statutory & regulatory requirements, security & compliance operations, IT security & operation, data security & privacy, personnel security & fraud controls, physical & environmental security.
  8. Do consider current technology, process and practices in place and fix the gap if any to achieve the compliance with ease in cost effective fashion

 

Don’ts

  1. Do not mistake this as project or simple technical implementation, this is a collaborative program
  2. Do not aim to achieve compliance by compromising security, it may leads to major pain
  3. Do not do the self-assessment unless you have clear understanding of requirements
  4. Do not opt for long time frame for implementation / remediation, it may leads towards more non compliance
  5. Do not go for risk acceptance supported by compensatory controls except truly unavoidable business need
  6. Do not keep the VA PT actionable open considering that you a quarter time frame. Remediate the outcome of following ASAP - 4 quarter internal VA, wireless VA & rogue detection, ASV and annual Internal & External PT.
  7. Do not do a risk assessment for the sake of compliance
  8. Do not adopt a new technology or practice unless required  

-With Lopa Mudra Basu, SLK Global on the Dos And Don'ts Of PCI DSS ClickToTweet

Are there other aspects or Dos and Don'ts you consider for PCI DSS ? Share your views with us in the comments below.

(Read more:  Cyber Safety in Cars and Medical Devices)

Views: 1273

Join the Discussion ...

You need to be a member of CISO Platform to join the discussion!

Join CISO Platform

FireCompass

Forum

CISO as an enabler

Started by Maheshkumar Vagadiya Jul 30. 0 Replies

Share the instances where you were able to convince the Executive management /board that CISO function is enabler rather then a hindrance.Thanks youMaheshContinue

Has Anyone Evaluated Digital Signature (like Docusign)?

Started by CISO Platform. Last reply by SACHIN BP SHETTY Apr 24. 1 Reply

(question posted on behalf of a CISO member)Has anyone evaluated digital signature (like Docusign), any specific risk/ security areas to be looked into while finalising a vendor? Any and all inputs will be very much appreciated.Continue

What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?

Started by CISO Platform. Last reply by ANAND SHRIMALI May 20. 4 Replies

(question posted on behalf of a CISO member)What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?Related Question: …Continue

[Please Suggest] Corona Virus: Security advisory for work from home

Started by CISO Platform. Last reply by Bhushan Deo Mar 20. 12 Replies

(question posted on behalf of a CISO member)Due to CORONA virus most of the organizations are allowing their employees to work form home.Has any one issued security advisory for work from home ?Continue

Tags: #COVID19

Follow us

Contact Us

Email: contact@cisoplatform.com

Mobile: +91 99002 62585

InfoSec Media Private Limited,First Floor,# 48,Dr DV Gundappa Road, Basavanagudi,Bangalore,Karnataka - 560004

© 2020   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service