Checklist for meeting the PCI Data Security Standard

Meeting the PCI Standard

Read the PCI Standard in full and perform a security gap analysis. Identify any gaps between existing practices in your organization and those outlined by the PCI requirements.

Create an action plan for on-going compliance and assessment. Once the gaps are identified, companies must determine the steps needed to close the gaps and protect cardholder data. It could mean adding new technologies to shore up firewall and perimeter controls, or increasing the logging and archiving procedures associated with transaction data.

Implement, monitor and maintain the plan. Compliance is not a one-time event. Regardless of merchant or service provider level, all entities must complete annual self-assessments using the PCI Self Assessment Questionnaire.

Call in outside experts as needed. Visa has published a Qualified Security Assessor List of companies that can conduct on-site CISP compliance audits for Level 1 Merchants, and Level 1 and 2 Service Providers. MasterCard has a Compliant Security Vendor List of SDP-approved scanning vendors.

About the author Diana Kelley is a Senior Analyst with Burton Group. She has extensive experience creating secure network architectures and business solutions for large corporations and delivering strategic, competitive knowledge to security software vendors.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Compliance Counselor Compliance recycling: Combining compliance efforts to manage PCI DSS Web 2.0 and e-discovery: Risks and countermeasures Learn from NIST: Best practices in security program management Best practices for application-level firewall selection and deployment The 'security standards dilemma': Network segmentation and PCI Compliance Penetration testing: Helping your compliance efforts Worst practices: Recognizing the biggest compliance mistakes E-discovery management: How IT should interact with the legal team E-discovery management: How IT should interact with the legal team Incident response success in five quick steps Data Privacy Architect Security and Compliance Programs to Be Complementary Information security book excerpts and reviews Credit card thieves target small merchants, flawed POS systems, study finds RSA attendees see data classification, rights management projects stumble Next version of PCI DSS due in September Hannaford breach illustrates dangerous compliance mentality Data loss prevention (DLP) tools: The new way to prevent identity theft? How would you define the responsibilities of a data custodian in a bank? FISA bill would prevent exposure of details of warrantless wiretapping TJX offers $40.9 million breach settlement Data Privacy Research PCI Data Security Standard Hashing for fun and profit: Demystifying encryption for PCI DSS PCI Data Security Standard: Swiping back PCI Data Security Standard: 12-step program for compliance PCI Data Security Standard: How to survive an audit Data Protection, Encryption and the Payment Card Industry Data Security Standards (PCI DSS) Meeting the PCI Data Security Standard requirements mitigates threats RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cypherpunk  (SearchSecurity.com) P3P  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.