Organizations of all sizes that store, process, or transmit credit card data must comply with PCI DSS (Payment Card Industry Data Security Standards). The PCI standard’s 12 principal requirements can prove challenging for organizations to achieve and maintain, especially those in the highly-regulated financial industry.
An upcoming PCI compliance audit may be cause for concern for many organizations, who are left scrambling to ensure their cybersecurity practices are up to scratch. Security teams can avoid these last-minute efforts with adequate preparation and better management of ongoing compliance efforts.
This article covers how to prepare for a PCI DSS onsite audit and maintain compliance with PCI requirements.
Learn how to comply with PCI DSS 4.0 >
1. Follow the Latest Standard
PCI DSS is constantly evolving to keep up with the dynamic cyber threat landscape. The rise of digital transformation has prompted many significant changes to the standard, which aims to remain “up to date with emerging threats and technologies, and changes in the payment industry.”
Your organization must keep informed on updates to the standard to ensure they remain compliant with the scope of PCI DSS. PCI DSS has recently been updated to version 4, which includes new requirements and revisions of existing standards. If your organization hasn’t aligned its current payment processing and security measures to meet this PCI scope, it faces non-compliance.
The latest version of PCI DSS is version 4 and it's now in effect.
You must review your current information security policies and procedures each time the standard is updated to identify any necessary changes.
Learn the latest PCI DSS requirements and a summary of changes >
2. Complete a Risk Assessment
The only way for an organization to identify its level of risk and manage it accordingly is by performing a risk assessment. Effective risk analysis provides security and compliance teams with detailed insights into the cyber threats and vulnerabilities found in their internal and external assets.
After identifying all threats and vulnerabilities, security teams can prioritize their remediation by the level of risk they pose to the organization. Importantly, you should also prioritize identified risks affecting systems that fall into the scope of the cardholder data environment (CDE).
Learn how to perform a cybersecurity risk assessment >
3. Establish Policies and Procedures
A complete risk assessment gives you a firmer understanding of your organization’s security posture. From here, you can develop policies and procedures that set the foundation of a PCI-compliant security program.
Compliance teams should compare risk analysis results against existing security controls and business processes to ensure they comply with the 12 PCI DSS requirements. They can then document the action needed to align internal processes with compliance requirements for future reference.
Documentation also allows auditors to identify potential security gaps faster and more efficiently. Keeping an ongoing record of any identified risks, changes in procedures, and other relevant information makes it much easier to collate and produce on request.
For PCI DSS, examples of relevant documentation include methods for:
- Encryption
- Data security
- Data management
- Data storage
Learn how to establish an information security policy >
4. Identify Compliance Gaps
Before a PCI DSS audit, the executive team should scrutinize all policies and procedures to identify potential compliance gaps. All key stakeholders should discuss any compliance gaps in depth and establish a remediation plan to resolve each issue before the audit.
Learn how to choose a PCI DSS 4.0 compliance product >
While a gap analysis effectively identifies high-level compliance issues, it may not cover more granular risks, which are equally important. If budget allows, contract a Qualified Security Assessor (QSA) to review your risk analysis and documentation to identify any other gaps that may have been overlooked. The QSA can also verify the accuracy of all reporting and help create a revised remediation plan to ensure you take action pre-audit.
Learn best practices for compliance monitoring >
5. Create Network Diagrams
Credit card data flowcharts and a CDE network topology visualize how sensitive data moves in and out of your organization. They also allow you to quickly identify potential security gaps to ensure that systems that store, process, or transmit card data are properly secured and operate independently of other network systems.
Many companies have flat networks protected by a firewall. All entities within flat networks are interconnected, meaning each component is within the scope of PCI DSS requirements. Creating detailed diagrams for flat networks is particularly crucial, as securing card data is a more complicated process.
Diagrams must show how cardholder data passes through your network and systems as it transits across the network. You will need multiple diagrams if data passes through more than one stream, e.g., e-commerce payments system and physical card transactions.
Asking the following questions will help you better understand your network security and check if it’s depicted accurately in your data flow diagram:
- How is your network designed?
- Does your card processing environment (CDE) have an edge firewall?
- Are you using network segmentation?
- Does your environment contain a multi-interface firewall?
- Do you have more than one firewall?
Learn how to map your digital footpring >
Once you’ve answered these questions, you can make any necessary adjustments to the network.
6. Provide Employee Education and Training
Education and training are essential to ensure all employees follow policies and procedures correctly. Employees in the relevant departments should gain certifications from courses that help them to set, monitor, and maintain security controls.
Basic cybersecurity training is essential for all staff to ensure they know of common attack vectors that could lead to serious data breaches. Examples of training topics include:
- How to spot phishing attacks
- Setting strong passwords
- How to recognize social engineering attempts
- Implementing two-factor authentication (2FA) or multi-factor authentication
7. Maintain Compliance Standards
Achieving PCI DSS compliance doesn’t stop once an organization is ready for an audit. Your organization must maintain ongoing revision and review to ensure it remains compliant all year round.
Below are five ways you can uphold ongoing PCI DSS compliance:
1. Hold Periodic Stakeholder Meetings
2. Conduct Regular Infrastructure Testing
3. Assess Third-Party Compliance
4. Nominate a Compliance Leader
5. Make Compliance Everybody’s Business
Learn how IT compliance and auditing work together >
1. Hold Periodic Stakeholder Meetings
Once your organization is ready for the PCI DSS assessment, it’s time to focus on maintenance strategies. Hold scheduled stakeholder meetings and internal audits to ensure any compliance issues are resolved before they escalate into a serious security incident, such as a cyber attack. Regular meetings also ensure policies and procedures are up to date with the latest Common Vulnerabilities and Exposures (CVE) list, requiring less revision at audit time.
Learn how to manage compliance effectively >
2. Test Your Infrastructure Regularly
Security teams must scan the Cardholder Data Environment (CDE) for emerging threats and vulnerabilities. Regular scanning is not only best practice a cybersecurity best practice but also a PCI DSS requirement.
To achieve and maintain PCI DSS compliance, your organization must conduct the following infrastructure tests:
- Web application testing: Conducted annually as per PCI DSS Requirement 6.6.
- Vulnerability scanning: Conducted quarterly by an approved scanning vendor (ASV) as per PCI DSS Requirement 11.2.
- Penetration testing: Conducted annually as per PCI DSS Requirement 11.3.
Download a full copy of the PCI DSS requirements >
3. Assess Third-Party Providers For Compliance
The scope of PCI DSS extends beyond your internal Cardholder Data Environment (CDE). Any third-party service providers who deal with your customers’ card data must also comply with the standard. If a vendor is non-compliant, your organization is also non-compliant and risks suffering a data breach and costly fines.
You must practice due diligence and regularly assess your vendors for PCI DSS compliance to remediate any security issues before they escalate. You likely have hundreds or thousands of vendors requiring assessment, which can complicate and delay the security questionnaire process.
An automated vendor risk management solution, like UpGuard Vendor Risk, can help you monitor and manage third-party PCI DSS compliance. Vendor Risk offers a PCI DSS questionnaire template and automated workflows, streamlining the risk assessment process to drive faster remediation.
Learn more about the third-party requirements of PCI DSS >
Watch this video to learn about UpGuard's compliance reporting features.
Learn more about UpGuard Vendor Risk >
4. Nominate a Compliance Leader
PCI DSS compliance requires rigorous process management and a great deal of time and resources. Your organization should nominate a compliance leader to ‘own’ PCI DSS compliance, from completing the Self-Assessment Questionnaire (SAQ) to the audit process.
Having an assigned leader also ensures someone is readily available to liaise with QSAs and internal stakeholders at any given time, with full knowledge of the current policies and procedures in place.
5. Make Compliance Everybody’s Business
Your organization must know exactly where customers’ credit card information is stored, processed, and transmitted to create accurate data flow charts, as per Requirement 1.2.4. This data likely is likely found across several departments to some extent. Therefore, all employees must be aware of the PCI requirements relevant to their role.
Examples of lesser-known credit card data storage areas in organizations include:
- Market research databases
- Error logs
- Printed sales records
- Administrative spreadsheets
This checklist will help you track your PCI DSS compliance efforts. For evalulating PCI DSS compliance with your third-party, use this free template.
