kras99 - stock.adobe.com
10 PCI DSS best practices to weigh as new standard rolls out
PCI's Security Standards Council revamped the requirements governing how organizations store payment card information. Companies need to act fast to ensure they are in compliance.
With the rollout of PCI DSS v4.0, organizations that use payment cards of all kinds will need to ensure their systems and security measures are compliant with the new standard as it becomes the norm and older versions are retired.
Let's take a look at some PCI DSS best practices companies should put into place to prepare for the new standard.
1. Obtain v4.0 and study it carefully
Secure a copy of the most recent version from the PCI Security Standards Council (SSC), and review it carefully. Pay particular attention to the 12 principal requirements that underpin PCI's Data Security Standard: They have been updated. Determine the changes and how they affect your organization's existing card security policies and procedures. The SSC has an extensive library of documents to assist with v4.0 remediation.
2. Complete a self-assessment DSS questionnaire as a gap analysis
The PCI SSC offers self-assessment questionnaires (SAQs) that can help your company establish benchmarks when implementing the initial stages of a remediation project. A gap analysis measures the company's current data security environment and determines where the project should begin.
3. Consider using PCI DSS compliance advisory services and tools
Many vendors provide a range of advisory services and specialized software to assist organizations preparing for v4.0 remediation. Services available include examining where revisions to security elements must be made; conducting forensic investigations; implementing device scanning and penetration testing; conducting security performance data discovery, end-user training and consulting; and preparing for security audits to verify compliance.
4. Establish a project team to complete v4.0 compliance
Once senior management approval and funding have been obtained, launch a PCI DSS compliance remediation team to prepare a project plan and begin activities to complete the remediation and validate compliance. Ensure senior leaders are regularly informed of project status.
5. Compare current practices with v4.0 requirements
Assuming the number of credit cards your organization processes annually hasn't changed, map current DSS-compliant practices against v4.0 requirements, and identify where changes need to be made. Examine current security policy documents and operational procedures as part of this activity. For example, identify changes to security systems and software, additional rules for firewalls and intrusion detection and prevention systems, and malware software updates.
6. Perform the remediation process
During the remediation process, examine and analyze the current DSS status, identify where changes must be made and define steps to remediate the changes. Secure the necessary technology, and implement the changes -- for example, revising firewall rules, hardening the network perimeter and updating security software, including malware identification, phishing, viruses and ransomware prevention.
7. Conduct an assessment of the remediation
Once remediation is complete, test and assess the changes to ensure they comply with v4.0. Update technology as needed, and document those changes. The SAQs mentioned earlier can be used for this activity, and additional assessment tools can be sourced from the PCI SSC. It may be useful to use an outside consultant to review the completed remediation.
8. Gather remediation evidence for future audits
Carefully document all relevant actions -- including remediation steps, as well as updates to policies and procedures -- for future audit review. If previous audit reports are available, use the report format to help gather the relevant evidence in advance of any audits.
9. Complete the remediation and ensure systems are performing properly
Once the remediation has been completed, tested and validated, update all relevant documentation. Schedule and conduct employee training to acquaint users with procedures that may have changed as a result of the remediation.
10. Declare compliance or have a third party confirm compliance
The PCI SSC doesn't formally certify that companies are in compliance with its standards, but organizations have two ways to demonstrate conformance. First, they can self-declare through an attestation of compliance after completing an appropriate PCI SSC questionnaire. Second, they can hire a qualified and experienced consultant that can confirm that the organization in question has complied with the new SSC standards.
These are just a few of the high-level PCI DSS best practices organizations need to follow to comply with v4.0. Launching a v4.0 remediation program is essential, especially as existing DSS levels are retiring in 2023.