On October 31, 2016, PCI DSS 3.1 will be retired, and organizations are required use PCI 3.2 and to be compliant with PCI DSS version 3.2 by February 1, 2018. With the recent release of PCI DSS 3.2, many businesses are preparing to update their security and compliance efforts again. Other businesses still aren’t compliant with the previous version of the PCI DSS, which makes them vulnerable to attackers.
Whether you’re new to PCI or a veteran, take time to review your past PCI compliance efforts and plan future PCI DSS 3.2 efforts.
Here are five basic practices to help you become PCI compliant.
1. Document everything
Documenting your policies and actions is important since it helps employees understand what has been done, what needs to be done, and where problems still exist in your business environment. It also helps keep your security efforts organized and legitimate.
Documentation simplifies the PCI process and provides a great baseline for security training materials. By writing your policies down, you solidify plans for implementing security and for training employees. Use your plan to educate employees on your policies and procedures.
Whenever you make changes in your business’s security, have your employees document the change. It’s also good to review the documentation often (quarterly, if not monthly) to make sure no errors have been made.
If you document everything throughout your PCI DSS process, you’ll save time and be more secure.
2. Determine your scope
It’s vital for businesses to determine what is ‘in-scope,’ which means if a particular person/process/technology/component stores, processes, or transmits payment card data. If they do, or are connected to systems that do, they must be PCI DSS compliant.
Some system components that may be in scope for your environment include:
You can’t protect what you don’t know. If you don’t know where your credit card data is, it’s impossible to secure it and get compliant. Create a cardholder data flow diagram for all in-scope networks. This will help you to properly understand the scope of your business by documenting where your card data is received, stored, and transmitted.
3. Segment your network
While network segmentation is not required by PCI DSS 3.2, it’s a good idea if you’re looking for the easiest way to reduce cost, effort, and time on getting compliant.
Network segmentation is done by physically or virtually separating environment systems that store, process, or transmit card data from those that don’t. This can be done through firewalls or physical gaps.
Segmentation can be very difficult, especially for those who don’t have a technical security background. If you do segmentation, you’ll want to have a security professional double check your work. Also remember that some SAQ types require you to do penetration testing on segmentation controls every six months and after any changes.
4. Spend money and time to train all staff
Did you know that employees and corporate partners are responsible for 60% of data breaches? Your employees are your weakest security link, yet many businesses don’t spend enough time to properly train their employees in security.
Create tailored security training for individual employee roles. For example, your IT director will require different training than your front desk manager. Train your employees monthly instead of yearly. Everyone learns best through repetition, and your employees will retain the training better through constant reminders.
Remember to require policy documentation signatures annually, and consistently enforce the policy with strict sanctions. By holding your employees accountable, you can protect your business and customers more effectively.
5. Work with a security professional
Security experts and Qualified Security Assessors are resources that don’t get used enough. You should always consult a security professional with any update to the PCI DSS (e.g., PCI DSS 3.2).
QSAs go through very intense training to understand everything about PCI DSS and data security. They have the technical expertise to help you through the PCI process.
If you’re a small business, you likely won’t need a PCI DSS audit, but you should still talk to a PCI professional to make sure you’re on the right path to PCI compliance. While it does require money, it will save you in the long run.
Get compliant with PCI DSS 3.2
Getting compliant can be difficult, but if you take it one element at a time, you’ll soon be there. Start by creating and updating your PCI compliance program; don’t forget to add the new and revised requirements to your new/existing program.
Remember, you’re not only protecting your business, but also your customers, your employees, and your brand. The longer you wait, the longer your business could be vulnerable.
SEE ALSO: The Importance of the PCI DSS: Why You Should Get Compliant
Paul Freitag guides you through the world of credit card processing fees and cyber security. He is a industry expert and professional that will make sure your compliant with new laws and ready for the 21st century!