We know, we know: The ins and outs of the Payment Card Industry Data Security Standard (PCI DSS) don't typically make for exciting reading. But learn the PCI DSS you must, if you're any kind of organization that handles credit card information, from a point-of-sale merchant to a service provider. There are a wide range of organizations that must be compliant with the PCI DSS, if only to keep auditors and hefty fines at bay, to say nothing of securing sensitive data. But for most security professionals, the phrase "PCI DSS compliance" is about as exciting as a cup of warm milk and fuzzy slippers. And the prospect of reading a dusty tome all about PCI compliance—we can hear the snoring already.
Fear not. Few people enjoy reading piles of documentation on PCI DSS, important as it is—that's why the pros have done a bit of the work for you. Below are a few handy tips from Didier Godart, Risk Product Manager at Rapid7, who previously contributed to the original PCI DSS while at MasterCard. While this list below isn't a complete tl;dr version of the PCI DSS, we hope they'll help make PCI DSS compliance just a little less snooze-worthy.
- QSA, ASV, WTF?: Data security regulations can be an alphabet soup of acronyms, and the terms specific to the payment card industry pile on another layer of complexity. Keep in mind that most of these acronyms—Qualified Security Assessors (QSA), Approved Scanning Vendors (ASV)—play key roles in determining if your organization is PCI DSS compliant, and as such, they must be qualified and approved by the PCI Council. So when you start looking for a QSA or ASV, make sure they are PCI Council-approved. (In many cases, you may already be working with a partner or vendor that has these qualifications.)
- Put time into validation now, save time later: PCI DSS is a hefty security standard to be sure. Thankfully there are a number of tools and guidelines built in to the guidelines to help you answer the simple question “Am I PCI DSS compliant?” and figure out where your compliance gaps are—before your formal audit. It's a worthwhile exercise to make use of the PCI DSS's built-in compliance validation toolbox, which can save you a lot of time down the road.
- Scope really, really matters: Nobody wants to do more compliance-related work than they absolutely have to, which is why Godart strongly recommends that organizations take the time to define their PCI assessment's scope to minimize the impact on organizational resources. This is not an easy task, but Godart maintains that it's extremely worthwhile: By taking the time to look at your potential PCI assessment scope, you can find areas to reduce its impact. For example, take a look at where your organization stores cardholder data and see if that can be reduced or even eliminated. Segregating the environment that interfaces with cardholder data can also be an easy way to drastically reduce a PCI assessment's scope—and that's time and money saved.
- What's the point? Instead of thinking of PCI DSS as just another box to check in a laundry list of security considerations, Godart puts these regulations into a broader context – not just how you can become compliant, but why certain components of these standards exist in the first place. You might be thinking “Who cares? I just want to be compliant and get this over with.” But by understanding the true intent of PCI regulations, you can find areas of efficiency that already exist in your security programs, potentially saving you from doing unnecessary prepwork.
If you found these tips handy, there's plenty more where these came from: Download our new eBook: “Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS Compliance,” authored by Didier Godart. As an expert on the PCI DSS, Godart has done all the heavy lifting—in this eBook, he breaks down the core terms and concepts of PCI DSS in simple terms and clearly explains what you need to know to be PCI DSS compliant.
It's brief, it's easy to understand, and of course, it's free.