To obtain PCI DCC compliance as quickly as possible, it is important to first guarantee support from senior management – ideally the CEO or MD. Ensure that you have been assigned adequate and dedicated resources (in the form of personnel, tools and finance). Without this interest, investment and commitment compliance is destined to fail – especially when working in a very tight time-frame.
Secondly, identify your organisation’s current security system as it relates to the PCI DSS. For example capture the data flow of card holder data (CHD) throughout your current environment, documenting the data handling process and the infrastructure components encountered and involved in this process as the PCI DSS requires CHD be protected, wherever it is at any given time.
Thirdly, form a team to tackle the technical and compliance requirements of the standard simultaneously. The tech team can start scanning IPs for vulnerabilities and assessing current tools and products against the PCI DSS and the compliance team can take stock of what policies and procedures are in place against the requirements of the PCI DSS and what needs drafting and implementing.
Next, take the results of these two tasks and formulate a synchronisation matrix in which tasks, with owners and deadlines are coordinated and de-conflicted to ensure continuity of effort and efficient use of resources. The use of a well versed and experienced project manager (or piece of PM software as a minimum) is a ‘force multiplier’ at this stage, which will save time and money.
Communication is the key to rapid success. Regular dialogue and meetings is essential to ensure that no conflict of effort occurs. Compliance requires the implementation of more than 200 controls, so here are a few things to consider if you wish to speed things up:
The PCI DSS is not quantum mechanics and accurate and regular communication in conjunction with well disciplined project management should ensure rapid compliance.