How to achieve PCI DSS Compliance

PCI Compliance is an ongoing process for any organization. If not managed well, today’s compliance status would change to non-compliance tomorrow. Even though, PCI has given a list of requirements, the implementation of the same is the key for a successful PCI compliance status.

There is no one stop solution suitable for all organizations. However, a sample strategy for getting your PCI Compliance would be something like below

  1. Scoping : Identifying the scope is the critical component in the PCI DSS compliance process. Without clearly defining the scope, the compliance process would become inefficient.
  2. Defining the CDE: Cardholder Data Environment is the core of PCI Scope. You need to find out the locations where the cardholder data is stored, processed or transmitted. If you don’t know where your data are, you might not be able to protect it
    1. Running a PAN Scan is an effective method to determine the systems that store cardholder data. It is time consuming, but still worth doing it.
    2. Develop data flow diagram to determine the potential areas of storage
  3. Segmentation: Perform network segmentation to minimize the scope.
  4. Protect the Cardholder Data: PCI DSS Standard contains 12 domains detailing the data protection requirements. The key highlights of the PCI DSS Requirements are:
    1. Access Controls
      1. Network Access Management – Firewalls
      2. User Access Management – Systems & Applications
      3. Physical Access Management
    2. Intrusion Detection & Prevention
      1. IPS
      2. WAF
    3. Encryption
      1. Secure cardholder data at rest
      2. Transmission security
    4. Malware Protection
      1. Antivirus / Anti-malware
      2. Patch management
    5. Vulnerability Scans and Penetration Testing
      1. Annual External PT
      2. Annual Internal PT
      3. Quarterly Internal PT
      4. Passing ASV Scans
    6. Logging & Regular Monitoring
      1. Servers
      2. Applications
      3. Network & Security devices
      4. Centralized Log Management
    7. Policies & Procedures
    8. Risk Assessment

The above list provides you a high level action item to comply with the PCI DSS standard. However, depending on the type of the organization, you might not have to implement all of the above.

Share your concerns / questions in the comments. I will try to get you some responses at the earliest.