Article: PCI Compliance


Making PCI Compliance Easier

Top 10 things you can do to make PCI compliance easier.

As a QSA company working with many merchants and service providers, common themes emerge as our clients strive to achieve PCI compliance.


Establish your CDE (card data environment). PCI  is about the storage, processing or transmission of payment card data. Any system that does not need to be part of the CDE must be separated from it.

Look for opportunities to reduce the size of your CDE. For example, if you’re using a 3rd party  e-commerce payment provider, it is possible that no card data needs to be stored, processed or transmitted by your e-commerce system.  Also, did you know that payment terminal devices supplied by your bank that are not otherwise connected to your network may be out of scope for PCI compliance?

Remove all stored cardholder data that is not required. Be brutal, and reduce your CDE even further. Remember that you are not permitted to retain data from the magnetic stripe, any PIN data, or CV2 numbers.

Remember that encrypted card data is still card data. Merchants often attest that requirements are “not applicable because the data is encrypted”. Usually, this is not true!

Be honest and realistic when submitting compliance updates. We often see implementation dates that are either wildly optimistic, or too far in the future to be meaningful. If we’re seeing this trend, remember that your Bank is too.

Establish a working relationship with your Bank.  Its compliance team will be happy to explain in more detail exactly how they want you to validate PCI compliance.  Maintain the relationship with your Bank, and respond promptly to their communications.

Don’t measure your progress against your peers Just because they have or have not been penalised for non-compliance is no indication that you will be assessed in the same way.

Don’t be brow beaten by a product vendor who promises full compliance simply by installing a product. Such products do not exist!

Understand the market for independent PCI compliance assistance.  Independent advice is available, and you have a choice. Your bank can provide you with a list of companies with expertise in PCI compliance.

Remember that you comply with PCI when you have implemented all applicable requirements and have attested to this. You don’t comply simply because you have filled in the form, or because you have completed a network  scan.

 

Additional Information

  • We are an experienced QSA - performing audits for many years.
  • Communication is very important and we offer invaluable advice that often saves organisations time and money
  • We are completely independent and have no allegiance with product vendors. Our neutral stance allows us to make unbiased product selections for clients.
  • If required, we can independently liaise with your Acquirer to ensure you correctly interpret Acquirer requests.


© 2012 Ambersail Ltd