PCI Requirements - You're Not Done Yet!
Compliance is a day-by-day security process.
|By: Brand Barney|
I think Bob Russo, head of the PCI Security Standards Council said it best.
|Bob Russo, PCI SSC|
How exactly are you supposed to maintain PCI requirements?
- Ensure your security policies are updated. Anytime you change the way you store, process, or transmit cardholder data, update those policies to reflect the changes!
- Train your employees. While training new (and current) staff members, remind them about the rights and wrongs of correct card data handling.
- Update your SAQ if things change. If anything in your card processing environment changes, your SAQ is no longer valid! Update and resubmit your SAQ for best results.
- Run external vulnerability scans. If your business is required to scan for vulnerabilities, make sure scans run at least quarterly and when you make any network changes. (Do you see a pattern yet?)
- Understand where your credit card data is stored. One of the reasons it’s hard to maintain compliance is because businesses accidentally store unencrypted card data.Identify unencrypted card datawith card discovery tools like PANscan®.
Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.