Ok, I agree this can seem a bit like an oversimplification, but it works on so many different levels, and to be honest, this is the basis for many talked about technologies such as encryption and tokenization. Do everything you can to eliminate data. Train your people, create the processes and then look at the appropriate technologies that help you in this effort. In many cases you can replace the data that you currently store or transmit by encrypting or tokenizing the data. This will help reduce the scope of your PCI assessment and simplify your compliance efforts.
Think security, not compliance - That’s basically what the first tip is about as well, but this goes further. A Report on Compliance is a piece of paper; a valuable one to many organisations, but perhaps less valuable than the peace of mind that you have when you are prepared for ongoing security.
Name an internal expert - One of the simplest and most effective means of maintaining ongoing compliance is through a dedicated internal resource you have named. Through this, you can have an individual or team that not only helps prepare for a compliance assessment, but establish the protocols to monitor and maintain not only ongoing compliance, but also security. Our Internal Security Assessor (ISA) program gives internal champions the same training as QSAs, so they know what to look for and how to keep an organization on track and within the PCI requirements for the entire year.
Implement a risk-based approach- Once you have your internal staff on board, it’s time to set your agenda. Whether you are well into your PCI process, or just beginning, a great reference for you to consult is the PCI Prioritized Approach document. The Prioritized Approach provides guidance that will help merchants identify how to reduce risk to cardholder data as early on as possible in their compliance journey. The tool groups together the requirements of PCI DSS into six key milestones for merchants to consider in their card data security strategy. This risk based- approach eliminates the biggest vulnerabilities first and allows you to share with your assessors, acquiring banks and the card brands on how you are progressing along your journey.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.