Tips & Tricks
Back to School - The Basics of Managing the PCI Compliance Process
#1 = Who owns this thing? Designate the right person at your business to "own" the self-assessment process. Realize that PCI is not just a technical standard, and requires inputs from all areas of your business.
#2 - How big is it? Otherwise known as "Scope Identification," it's important to know which pieces of your system touch card data, and how all systems are connected even if they have nothing to do with card transactions.
#3 - Can I make it smaller? Once the scope has been identified, take precautions to limit the systems that touch cardholder data, and to segment or remove the connections between systems. This step involves using technology to segment and protect your network. For example, a managed firewall can protect your network from Internet threats, or segment pieces within a single network. This step will help reduce the number of security controls you need to have in place, and simplify your compliance process.
#4 -Does anyone like pigeons? Bird lovers aside, the answer to this question is usually "No." The rule of thumb here is not to pigeon-hole the PCI standard as just a technical standard - as it's a technology and people, processes, and procedures. Many businesses get stuck when forced to look at business processes - when often this is the core of security and compliance. (Link to SAE infographic)
#5 - Rinse and Repeat. PCI is not a one-time event. Security takes diligence and ongoing monitoring to make sure that the right controls are in place. Managed Security Services can help remove the burden of this ongoing monitoring - so you can stay focused on running your business while your security controls are cared for.