How to Ensure PCI DSS Compliance

By John Linkous  |  Posted 2009-08-05 Print this article Print

How to ensure PCI DSS compliance

So, what are the things that an organization must do to ensure PCI DSS compliance? Although an organization's needs will vary depending on its size, the types of applications and systems it uses, and the number of card transactions it processes, there are some universal requirements for organizations that need to comply with PCI DSS:

Requirement No. 1: Build a security program

The PCI DSS standard is not designed to be addressed as a series of "checkboxes." Instead, PCI DSS really lays the framework for an information security program that includes governance, risk management, and both processes and controls.

While many organizations today approach PCI DSS using a checkbox mentality (and many security product vendors are eager to sell their products as "PCI-in-a-box"), the reality is that doing PCI DSS the right way means establishing a security program-not just deploying PCI-related technologies.

Requirement No. 2: Implement both processes and controls

Complying with the PCI DSS standard requires organizations to implement both processes and controls around their use of cardholder data. This includes making sure that the methods they use to receive, process and transmit that data are secure. Processes are essentially repeatable patterns to ensure security, such as ensuring that all visitors to a facility that contains systems that store or transmit cardholder data are logged in and tracked during their visit.

Controls are generally things that can be implemented (often using technology) to ensure the security of cardholder data; for example, establishing minimum password length and complexity requirements. Both processes and controls need to be implemented to comply with PCI DSS; compliance cannot be achieved by simply "throwing technology against the wall to see what sticks."

Requirement No. 3: Know your assets

The PCI DSS standard applies to any system that either stores or transmits cardholder data. This is an important distinction because, in many environments, the systems that store or process cardholder data are relatively few compared to the overall technology infrastructure. 

Consequently, these organizations only have to implement the PCI DSS standard on the infrastructure and systems that actually store, process or transmit cardholder data. By properly segmenting out PCI DSS-affected infrastructure and systems, organizations can more easily ensure compliance by limiting PCI DSS-specific controls and processes to this environment.

Requirement No. 4: Ensure that business partner agreements are in place

Almost every PCI transaction requires exchanging cardholder data with a third party: consumers provide card information to merchants, merchants send cardholder data to payment processors using equipment installed and managed by their service providers, and payment processors query financial institutions as to the legitimacy of card numbers and availability of funds.

This kind of sharing of highly-sensitive data requires that strong, well-defined business partner agreements exist between each of these groups, including guarantees that these third parties comply with the PCI DSS standard.

John Linkous is the IT Security and Governance, Risk and Compliance (GRC) Evangelist at eIQnetworks, Inc. In this multifaceted role, John is responsible for establishing the companyÔÇÖs risk and compliance management product strategy, working with product management and engineering teams to ensure that products meet customer needs. John has over 15 years of technology management and consulting experience, specializing in enterprise systems management, information security and regulatory compliance, with diversified global clients across a broad range of sectors. His knowledge of information security and compliance issues, ability to communicate and bridge the gaps between technology and business, and his clear writing style have made him a sought-after keynote speaker and author. John is the author of numerous published books and white papers. Prior to joining eIQnetworks, John was vice president of operations at Sabera. Previously, he was co-founder and partner of a national IT consulting firm, specializing in enterprise infrastructure design and security. Before that, John was CIO of one of the nationÔÇÖs largest privately-held public relations firms. John began his career as a consultant at the National Aeronautics and Space Administration (NASA). John holds a B.A. degree in History and English Literature from the University of Maryland, and maintains numerous industry technical certifications. He can be reached at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel