It’s not every day that I get to start out a policyIQ blog post with a YouTube video, but the folks at the Payment Card Industry’s Security Standards Council seem to have a sense of humor. (Most people don’t put “security standards” and “sense of humor” in the same zip code, let alone the same sentence!) You really need to check out this video: PCI Data Security Standards Rock. I’ll give you a few minutes.
What are Payment Card Industry Data Security Standards?
The PCI Data Security Standards (PCI DSS) are requirements that are developed by the PCI Security Standards Council to protect cardholder data. All organizations that process, store or transmit credit cardholder data must comply with the standards, which are enforced by the founding Council members – American Express, JCB International, Discover Financial Services, Visa Inc and MasterCard Worldwide. There are 12 requirements outlined in the Standards (and in that catchy little video) that fall into six goals:
1.) Build and Maintain a Secure Network
2.) Protect Cardholder Data
3.) Maintain a Vulnerability Management Program
4.) Implement Strong Access Control Measures
5.) Regularly Monitor and Test Networks
6.) Maintain an Information Security Policy
The PCI Security Standards Council recommends a three step process for compliance with the Standards: 1.) Assess, 2.) Remediate and 3.) Report. In their Quick Reference Guide (a surprisingly interesting and easy read), the Council refers to their recommended approach as “common sense steps that mirror best security practices”. The requirements are well defined, including details of the requirements (broken into “sub-requirements” that can be easily translated as controls) and the testing procedures to verify each of those requirements. All of the documentation is available online at the PCI Security Standards Council website.
Out of all of the compliance programs with which I have worked, the PCI DSS program is, in my opinion, the most well-documented and straight-forward. (I’m tempted to comment on the fact that this is not derived from government legislation, but rather from the major credit card companies need for cardholder security.)
Don’t manage PCI DSS in a silo – Gain efficiency by merging it with other compliance programs
“Maintain a secure network”, for example, should be a corporate objective regardless of whether you are required to comply with PCI DSS. (The Council did say it was a “common sense” approach, after all.) Some of the same controls that you already have in place for your corporate IT security over financial or operational information will apply to your PCI compliance program. Your organization can save time and money – in the documentation, testing and remediation – by managing your compliance programs in a single system like policyIQ.
You will likely want to create a structure in policyIQ Folders that mimics the Goals and Requirements of the PCI Standards. Within those folders, you may have both controls that are unique to PCI compliance, as well as controls that are already existing in your SOX or IT compliance programs. Rather than document them a second time, simply pull those existing controls into an additional folder – the same item will appear in two folders, but updates, testing and remediation is done just once. You’ll be able to report on your compliance programs separately (using folder filters in reports), but eliminate any duplicative efforts.
As always, our team is here to help.
If you don’t yet have your PCI DSS program in policyIQ, we can help you get started. Because the Standards are very straight-forward, we can even add the folders that you’ll need – and potentially the requirements and tests – if you don’t have the resources or time to pull it together. If you need help implementing the requirements or remediating deficiencies, contact us and we’ll put you in touch with a PCI expert in your area who can lend a hand to your internal compliance program.