To obtain PCI DCC compliance as quickly as possible, it is important to first guarantee support from senior management – ideally the CEO or MD. Ensure that you have been assigned adequate and dedicated resources (in the form of personnel, tools and finance). Without this interest, investment and commitment compliance is destined to fail – especially when working in a very tight time-frame.
Secondly, identify your organisation’s current security system as it relates to the PCI DSS. For example capture the data flow of card holder data (CHD) throughout your current environment, documenting the data handling process and the infrastructure components encountered and involved in this process as the PCI DSS requires CHD be protected, wherever it is at any given time.
Thirdly, form a team to tackle the technical and compliance requirements of the standard simultaneously. The tech team can start scanning IPs for vulnerabilities and assessing current tools and products against the PCI DSS and the compliance team can take stock of what policies and procedures are in place against the requirements of the PCI DSS and what needs drafting and implementing.
Next, take the results of these two tasks and formulate a synchronisation matrix in which tasks, with owners and deadlines are coordinated and de-conflicted to ensure continuity of effort and efficient use of resources. The use of a well versed and experienced project manager (or piece of PM software as a minimum) is a ‘force multiplier’ at this stage, which will save time and money.
Communication is the key to rapid success. Regular dialogue and meetings is essential to ensure that no conflict of effort occurs. Compliance requires the implementation of more than 200 controls, so here are a few things to consider if you wish to speed things up:
- Keep it Stupid/Simple. Can you simplify the way you process CHD? Using tokenization technology can reduce the scope (however the PCI SSC are about to issue new direction relating to tokenization as part of PCI DSS 2.0 so consult the PCI SSC website before making any decisions). Using this sort of technology will involve an upfront cost, but that will pay for itself in the mid- to long-term as it drives compliance costs down.
- Evolve existing infrastructure. Can you maximize previous security efforts and investments? For example you may not need to purchase an IDS; check to see if it’s possible to add an IDS license to an existing IDS-ready product, such as a firewall.
- Concurrent activity. Can you incorporate credit card handling training into the existing regular staff training, so that implementation occurs during the course of the project.
The PCI DSS is not quantum mechanics and accurate and regular communication in conjunction with well disciplined project management should ensure rapid compliance.