Ask the Expert

How to meet the PCI DSS compliance deadline on an IT security budget

We're a medium-sized organization, working slowly toward PCI compliance. We'd like to be able to meet the September deadline, but, at this point, it seems the costs to do so are more prohibitive than anything else. What are your tips for the most practical ways to cut down on the costs of PCI DSS compliance?

    Requires Free Membership to View

There are two main considerations when implementing accelerated compliance programs: cutting costs and cutting time to accreditation (which ultimately also cuts costs). The key is to be able to quickly identify your current security and compliance posture in relation to the PCI DSS compliance deadline. To do so, start by documenting your cardholder data (CHD) environment. Remember that PCI DSS requires that CHD be protected, wherever it is in the environment, i.e. any system component which is or may be used to store, transmit or process CHD. One way to confirm the scope of a CHD environment is to map the data flow by fully documenting the steps of the transaction process and all of the network components the data encounters, thus demonstrating organisational control of the CHD's location.

The next step is to create a PCI DSS team, comprised of both technical and non-technical personnel. The technical members can start by running approved scanning vendor (ASV) scans on IPs, and benchmarking security settings and deployed security products against PCI DSS. In parallel, the compliance team can prepare a gap analysis, showing which procedures and policies are in place and which are not. Most organizations do have basic security policies, but those policies may not meet PCI DSS requirements. When performing pre-assessments, I find that most organizations don't have incident response plans, contracts managing third-party access to systems or any software development lifecycle (SDLC) documentation. Such things take time to prepare and need to be done as early in the process as possible.

Putting together the results of the scans and the technical benchmarking, along with the results of the procedural gap analysis, will allow the team to create a remediation map showing which tasks can be assigned to the relevant people and addressed simultaneously. It is recommended that the team work together and have regular progress meetings. PCI DSS requires 200+controls, so, in order to ensure that you can achieve PCI DSS compliance as easily as possible, and stay within your IT security budget, here are a few tips:

  1. Can you simplify the way you accept credit card payments? Supplementing the process using tokenization technology can reduce the scope . Doing so will involve an upfront cost, but that will pay for itself in the mid- to long-term as it drives compliance costs down.

  2. Can you maximize previous security efforts and investments? You may not need to purchase an IDS; check to see if it's possible to add an IDS license to an existing IDS-ready product, such as a firewall.

  3. Can you incorporate credit card handling training into the existing staff induction course, thus making compliance with Requirement 12.6 a quick win?

Also, make sure that the project is managed carefully and progress reports are shared with executives, as they are vital to funding the project and driving it across the finish line. Ideally, consider using security compliance management software with automated PCI DSS compliance process. Such applications allow you to keep track of all controls, assign tasks to relevant team members and ensure deadlines are met. They are also capable of assigning a monetary value to each control by showing the number of internal and third-party man hours and capital expenditure required for each control, thus managing the overall PCI DSS cost of compliance and time to accreditation.

In any event, PCI DSS is not rocket science and the initial benchmarking effort should highlight the investments that your organisation has already made in security technology and associated procedures.

This was first published in August 2010

 

COMMENTS powered by Disqus  //  Commenting policy