As introduced in our newsletter #8 - DSS in a nutshell, organizations subjected to compliance are required to implement more than 200 requirements. With this in mind, achieving compliance could be a painful, long and costly exercise, so it's legitimate to wonder how to approach this. In response, the PCI Council shared their view on the best approach to compliance. They code-named this the “Prioritized Approach”.
What is it?
A tool to help and guide organizations establish a roadmap for compliance, and demonstrate progress to key stakeholders.
Who is it for?
The prioritized approach is suitable for merchants who undergo an on-site assessment or use self-assessment type D (see newsletter #5).
How does it work?
Any roadmap is composed of milestones. The prioritized approach suggests dividing compliance projects into six phases, each of them targeting specific security controls laid out in the standard:
1: Remove sensitive authentication data and limit data retention.
Scope reduction (see newsletter #9 – Scoping definition), data retention and disposal, destruction of unnecessary data.
2: Protect the perimeter, internal, and wireless networks.
Traffic control, firewall, routers, DMZ, logical and physical access control, line encryption, IDS, internal and external scanning, penetration testing.
3: Secure payment card applications.
Hardening, standard configuration, patching, secure coding practices and procedures, Web scanning, application firewall.
4: Monitor and control access to your systems.
Access management, users identification and authentication, user activity monitoring and audit trail, WAP monitoring, file integrity monitoring, incident response.
5: Protect stored cardholder data.
Data encryption and masking, key protection and management, backup media handling, visitor handling.
6: Finalize remaining compliance efforts,and ensure all controls are in place.
Policies, procedures and standards not covered above.
The tool is actually a spreadsheet listing all DSS requirements together with their associated milestones. Multiple columns such as compliance status, stage of implementation, estimated date for completion and two graphs help tracking progress toward compliance.
Based on your experience, how do you rate the usefulness of this prioritized approach? Let us know in the comments section.