2Overcome the Culture of Undocumented Changes
Tracking changes is a tedious process, but it’s essential for avoiding a data breach that could ruin the financial quarter for an organization. Documentation is important because an organization can’t protect what it doesn’t know is there. Without complete and up-to-date documentation, an organization has no way of knowing where cardholder data sits within the depths of its infrastructure and thus what layers of protection are needed where.
3Shrink the Cardholder Data Environment
Most organizations have no clear idea how far their cardholder data environment extends, which is important because any device not touching cardholder data does not have to meet the long list of PCI DSS requirements. Thoroughly knowing your cardholder data environment can save an organization time and money.
4Make Network Segmentation Rock-Solid
If any cardholder data can leak from the “safe” environment or another segment can touch that data, your organization is out of compliance and at risk of a breach. Remember that firewalls are required on every port from the external Internet to the internal environment, so no traffic is unchecked. ACLs must also be secured, so no traffic goes through a nonsecured protocol, and unneeded services must be turned off so they can’t be used by attackers.
5Know What to Ask a Cloud Service Provider
6Assure the Needed Skills Are In-House
Those involved with creating or supporting PCI-compliant systems should have basic training in performing daily tasks with a “PCI-centric” mindset. Ask new hire candidates how they would go about configuring firewalls to meet the PCI network administration requirements. To ensure the effectiveness of your compliance program, only hire those candidates who can provide you with a solid answer.