Care and Feeding of your PCI DSS Compliance Program

While getting compliant and passing your yearly Report on Compliance audit or filling out a Self Assessment Questionnaire is important to your organization and your customers (and a requirement for merchants and service providers), the PCI Data Security Standard (DSS) is intended to be the foundation of an ongoing program, ensuring you follow best practices throughout the year.  I continue to work with clients who overlook the maintenance aspect of the DSS, and few things are worse than scrambling to update everything at once while you are in the middle of an audit.  In this past year, I have come across several instances of companies who overlooked a key time-based DSS requirement and were forced to use compensating controls or simply could not meet compliance because of the oversight. The DSS does little to protect your cardholder data and systems if you think of it as something that you only have to do once a year.  Maintaining your program should be like maintaining your house: don’t wait to fix that leaky pipe, repair the broken window, fix the lock on the door, and take out all of the trash right before your mother-in-law shows up – you don’t want to deal with it all at once, and neglect can lead to increased effort, expense, security gaps, and non-compliance.  Similarly, following a scheduled maintenance routine can help you purge unnecessary accounts and data, provide visibility into your processes, train personnel, and ensure that different business units are aware of and performing their expected duties. The cheat sheet in the following whitepaper was developed to help you prioritize, schedule, and assign responsibility for the tasks that must be performed on a periodic basis to meet DSS 2.0 requirements.  Throw this in a spreadsheet, update your group calendar, or transfer this to your GRC tool, and then off to the beach for a Mai-Tai! Care and Feeding of your PCI DSS Compliance Program