PCI is never far from mind these days as the January 1, 2015 deadline for most organizations to be compliant with PCI DSS 3.0 by approaches quickly. In light of these deadlines, ncrampton and ospannero hosted a webcast earlier this week on the, "5 Steps to Perform Your Own PCI DSS 3.0 Gap Analysis", so that organizations can develop a plan for getting from their current state of compliance to meeting all the new requirements in time. Read on if your organization handles credit card data and you'll need to demonstrate PCI DSS 3.0 compliance:
- Create an Action Plan, remembering that separation of duties is always a good idea – It's best to appoint a holistic project manager for your compliance update that will ensure all plans are on task. This person should know who is responsible for each task, when each phase of the project will take place, how success will be measured, what milestones to look for, and when updates will be successfully in place. It's additionally important to ensure that the person doing the auditing is not the same person reporting on task completion.
- Be Strict, Document Well, & Follow Instructions Exactly – Go through every requirement for your SAQ type (determined by identifying entry points and flow for credit card data at your organization), interview and collaborate with IT staff, make sure you examine proof first hand, and document results including many specifics, and then...
- DOUBLE CHECK! Cross reference guidelines in the SAQ, PCI DSS, and ROC reporting guide to ensure you find your gaps before someone else does.
- Massage results into a simple, factual presentation – Many components (compliance, risk, cost, speed, impact, availability, integrity, etc.) may be examined during your assessment, but you must be able to communicate the results of your analysis to a less security-minded and less technical crowd. Present findings in a succinct manner that doesn't require hours/days of result-pulling.
- Act Smart: Think Like An Outsider to be auditable – Sometimes, the fastest way to become compliant with PCI DSS is to change how you do business to get to a SAQ level with fewer sub requirements. Regardless of whether or not that is possible, understand the intent of each requirement so that when you demonstrate actions taken, they not only check the box but provide the security bolster that the requirement intended.
Want further details about the 5 steps to take as you prepare to comply with PCI DSS 3.0? Watch the webcast now.