Q

Understanding the PCI DSS prioritized approach to compliance

You can take a phased approach to achieving PCI DSS compliance, but expert Mike Chapple says you aren't compliant until you meet all its requirements.

I read recently that a PCI DSS official recommended a "risk-based approach" to PCI that allows for partial compliance

by meeting the compliance obligations in stages. Is there such a thing, and is it a practical way to achieve PCI compliance?

Ask the Expert!

Have questions about regulatory compliance? Send them via email today! (All questions are anonymous.)

The short answer to your question is no. There is no way to achieve PCI DSS compliance other than to achieve 100% compliance with the portions of the standard that are relevant to your organization. When it comes to PCI DSS compliance, there are no "shades of gray." You are either compliant or noncompliant.

My guess is the PCI DSS official you read about was referring to the Prioritized Approach to PCI DSS Compliance. This guide is meant to provide organizations with a risk-based approach to becoming compliant by having them address the most important items first, thereby reducing the likelihood of a breach. This approach has six milestones:

  1. Remove sensitive authentication data and limit data retention.
  2. Protect the perimeter, internal and wireless networks.
  3. Secure payment card applications.
  4. Monitor and control access to your systems.
  5. Protect stored cardholder data.
  6. Finalize remaining compliance efforts, and ensure all controls are in place.

The "catch" is milestone six, which basically says, "Do everything else you need to do to become compliant." To be clear, while this approach allows you to meet specific requirements in stages, it does not mean you are compliant during the process. Your organization is subject to fines and other noncompliance sanctions until you are fully compliant. The PCI DSS Prioritized Approach document sums this up well with a disclaimer reading, in part, "To achieve PCI DSS compliance, an organization must meet all PCI DSS requirements, regardless of the order in which they are satisfied or whether the organization seeking compliance follows the PCI DSS Prioritized Approach."

This was first published in September 2013

Dig deeper on PCI Data Security Standard

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close