Five Steps to PCI DSS Compliance

1 - Five Steps to PCI DSS Compliance
2 - Overcome the Culture of Undocumented Changes
3 - Shrink the Cardholder Data Environment
4 - Make Network Segmentation Rock-Solid
5 - Know What to Ask a Cloud Service Provider
6 - Assure the Needed Skills Are In-House
1 of 6

Five Steps to PCI DSS Compliance

by Darryl K. Taft

2 of 6

Overcome the Culture of Undocumented Changes

Tracking changes is a tedious process, but it's essential for avoiding a data breach that could ruin the financial quarter for an organization. Documentation is important because an organization can't protect what it doesn't know is there. Without complete and up-to-date documentation, an organization has no way of knowing where cardholder data sits within the depths of its infrastructure and thus what layers of protection are needed where.

3 of 6

Shrink the Cardholder Data Environment

Most organizations have no clear idea how far their cardholder data environment extends, which is important because any device not touching cardholder data does not have to meet the long list of PCI DSS requirements. Thoroughly knowing your cardholder data environment can save an organization time and money.

4 of 6

Make Network Segmentation Rock-Solid

If any cardholder data can leak from the "safe" environment or another segment can touch that data, your organization is out of compliance and at risk of a breach. Remember that firewalls are required on every port from the external Internet to the internal environment, so no traffic is unchecked. ACLs must also be secured, so no traffic goes through a nonsecured protocol, and unneeded services must be turned off so they can't be used by attackers.

5 of 6

Know What to Ask a Cloud Service Provider

Not all "compliant" cloud providers are created equal—make sure to ask the right questions, including "How do you segment your network to segregate traffic from different customers?" and "What security certifications do you have and what audits have your cloud platforms undergone?"

6 of 6

Assure the Needed Skills Are In-House

Those involved with creating or supporting PCI-compliant systems should have basic training in performing daily tasks with a "PCI-centric" mindset. Ask new hire candidates how they would go about configuring firewalls to meet the PCI network administration requirements. To ensure the effectiveness of your compliance program, only hire those candidates who can provide you with a solid answer.

Top White Papers and Webcasts