Learn basic practices to get compliant with the PCI DSSRead the SecurityMetrics Guide to PCI DSS Compliance.
On October 31, 2016, PCI DSS 3.1 will be retired, and organizations are required use PCI 3.2 and to be compliant with PCI DSS version 3.2 by February 1, 2018. With the recent release of PCI DSS 3.2, many businesses are preparing to update their security and compliance efforts again. Other businesses still aren’t compliant with the previous version of the PCI DSS, which makes them vulnerable to attackers.
SEE ALSO: PCI DSS 3.2 Changes: What Your Business Needs to Know
Whether you’re new to PCI or a veteran, take time to review your past PCI compliance efforts and plan future PCI DSS 3.2 efforts.
Here are five basic practices to help you become PCI compliant.
1. Document everythingDocumenting your policies and actions is important since it helps employees understand what has been done, what needs to be done, and where problems still exist in your business environment. It also helps keep your security efforts organized and legitimate.
Documentation simplifies the PCI process and provides a great baseline for security training materials. By writing your policies down, you solidify plans for implementing security and for training employees. Use your plan to educate employees on your policies and procedures.
Whenever you make changes in your business’s security, have your employees document the change. It’s also good to review the documentation often (quarterly, if not monthly) to make sure no errors have been made.
If you document everything throughout your PCI DSS process, you’ll save time and be more secure.
2. Determine your scopeIt’s vital for businesses to determine what is ‘in-scope,’ which means if a particular person/process/technology/component stores, processes, or transmits payment card data. If they do, or are connected to systems that do, they must be PCI DSS compliant.
- Networking devices
- Computing devices
SEE ALSO: Finding and Reducing PCI Scope: How to Make Compliance Easier
network segmentation is not required by PCI DSS 3.2, it’s a good idea if you’re looking for the easiest way to reduce cost, effort, and time on getting compliant.
Network segmentation is done by physically or virtually separating environment systems that store, process, or transmit card data from those that don’t. This can be done through firewalls or physical gaps.
Segmentation can be very difficult, especially for those who don’t have a technical security background. If you do segmentation, you’ll want to have a security professional double check your work. Also remember that some SAQ types require you to do penetration testing on segmentation controls every six months and after any changes.
Need a penetration test? Talk to us!
4. Spend money and time to train all staffDid you know that employees and corporate partners are responsible for 60% of data breaches? Your employees are your weakest security link, yet many businesses don’t spend enough time to properly train their employees in security.
Create tailored security training for individual employee roles. For example, your IT director will require different training than your front desk manager. Train your employees monthly instead of yearly. Everyone learns best through repetition, and your employees will retain the training better through constant reminders.
SEE ALSO: Employee Training in Data Security: What You Should Do
Remember to require policy documentation signatures annually, and consistently enforce the policy with strict sanctions. By holding your employees accountable, you can protect your business and customers more effectively.
Get help with training your employees!
5. Work with a security professionalSecurity experts and Qualified Security Assessors are resources that don’t get used enough. You should always consult a security professional with any update to the PCI DSS (e.g., PCI DSS 3.2).
QSAs go through very intense training to understand everything about PCI DSS and data security. They have the technical expertise to help you through the PCI process.
If you’re a small business, you likely won’t need a PCI DSS audit, but you should still talk to a PCI professional to make sure you’re on the right path to PCI compliance. While it does require money, it will save you in the long run.
Need help in getting compliant with PCI DSS 3.2? Let’s see what you need to do.
Get compliant with PCI DSS 3.2Getting compliant can be difficult, but if you take it one element at a time, you’ll soon be there. Start by creating and updating your PCI compliance program; don’t forget to add the new and revised requirements to your new/existing program.
Remember, you’re not only protecting your business, but also your customers, your employees, and your brand. The longer you wait, the longer your business could be vulnerable.
SEE ALSO: The Importance of the PCI DSS: Why You Should Get Compliant