PCI DSS – Stringent but Exhilarating to Implement (Project PCI DSS Implementation & Certification)
PCI DSS stand for Payment Card Industry Data Security Standard is a robust, comprehensive, technology driven, transparent, explicit standard to enhanced security controls around payment card and related account data by ensuring the safe handling of card holder information at every step thereby reduce payment card frauds via its exposures.
PCI certification is a capability mandated for an organization that store, process, view, transmit critical card holder information and the organization should comply with all applicable requirements specified by PCI standard based on business, scoping and risk assessment outcome without any deviation that is what make this standard more reliable and effective.
The standard has 6 control objectives, 12 requirements and 204 sub requirements against which validation of compliance is performed annually based on scope applicability by QSA and compliance status is issued which includes – Attestation of Compliance (AOC), Report of Compliance (ROC) supported by Certification of Compliance (COC) by QSA.
The key mantra to achieve the compliance (report) without any hindrance is hidden in effective business understanding, scoping, risk assessment, pre assessment (assess) which in turn help to plan the activities seamlessly by aligning requirements with suitable technologies and processes (remediate), is applicable for new implementation as well as project under maintenance.
In spite of having stringent requirements, I found this standard is COOL for implementation and maintenance due to clear directions which in turn boost the security effortlessly by ensuring the actual security at all level (physical security, environmental security, personnel security, fraud control mechanism, IT & data security, data privacy, managed & monitored business environment) thereby leading to compliance.
(Read more: Top 5 Big Data Vulnerability Classes)
Key to Success
- Clear business understanding and proper scoping
- Dipstick risk assessment & stringent pre assessment followed by immediate effective remediation
- Effective alignment of technologies, processes with requirements
- Proper scoping of IT assets considering primary, secondary processing site including data center sites, if you have separate one
- Monitored and requirement based privileges access
- Treat it as yearly program with do or die concept without pushing the activities for next year for improvement
- Identifying and engaging proper QSA, ASV & other service providers with the capability to address your queries and needs in time
- Controlled and monitored environment
- Effective record maintenance including agreements and AMC’s
- Build the sustenance capability
Key Learning: Dos and Don’ts
- Do have an annual time bound program based on assess, remediate, report concept with proper governance lead by a senior empowered manager with adequate domain expertise including sound technical, managerial, strategic, analytical, negotiating and influencing skills
- Do build the capability among major stake holding team for implementation and sustenance by providing adequate role based training which majorly include – Risk, Security, IT, HR, Facility, Audit and End-users
- Do appoint a knowledge QSA or conduct self-assessment using applicable version of SAQ
- Do treat pre assessment and VA PT outcome with serious note and remediate ASAP
- Do ensure in time achievement of all milestones without any fail
- Do aim on achieving security while implementing or remediating, you will automatically land in to compliance
- Do ensure proper scope coverage considering the end to end requirements related to governance, business operations, statutory & regulatory requirements, security & compliance operations, IT security & operation, data security & privacy, personnel security & fraud controls, physical & environmental security.
- Do consider current technology, process and practices in place and fix the gap if any to achieve the compliance with ease in cost effective fashion
- Do not mistake this as project or simple technical implementation, this is a collaborative program
- Do not aim to achieve compliance by compromising security, it may leads to major pain
- Do not do the self-assessment unless you have clear understanding of requirements
- Do not opt for long time frame for implementation / remediation, it may leads towards more non compliance
- Do not go for risk acceptance supported by compensatory controls except truly unavoidable business need
- Do not keep the VA PT actionable open considering that you a quarter time frame. Remediate the outcome of following ASAP - 4 quarter internal VA, wireless VA & rogue detection, ASV and annual Internal & External PT.
- Do not do a risk assessment for the sake of compliance
- Do not adopt a new technology or practice unless required
-With Lopa Mudra Basu, SLK Global on the Dos And Don'ts Of PCI DSS ClickToTweet
Are there other aspects or Dos and Don'ts you consider for PCI DSS ? Share your views with us in the comments below.
(Read more: Cyber Safety in Cars and Medical Devices)