Any e-commerce site needs to be able to demonstrate PCI compliance. Validating your company's compliance requires testing your security policies, network configurations and internal procedures. This can involve verifying the capabilities of business facilities, system components, and third-party service providers.
Hostway's allies at SilverSky provided these five tips for businesses considering beginning a PCI assessment:
Engage a QSA: Engaging a Qualified Security Assessor (QSA) early in the process can actually save you time, money and effort, especially if it’s your initial foray into PCI compliance. A QSA can eliminate the guesswork by helping you understand the requirements as they relate to your business, as well as the intent behind specific controls and if a compensation control could suffice. They can review the practices you already have in place to help you determine the key areas on which you must focus to bridge the gap to compliance. Another great tool to leverage if you are just getting started is the PCI Prioritized approach which can be found on the PCI council’s website.
Limit the Scope: Minimizing the scope of your PCI environment is one of the most advantageous moves towards simplifying audits and ongoing PCI compliance management. While network segmentation technically isn’t a requirement, it permits you to consolidate and isolate the portions of your network that are necessary for transaction processing from the rest of your environment. This practice also reduces risk by making the target smaller and access easier to manage, track and control; this in turn limits exposure. Start with the cardholder data. Do you need it? If you don’t, then don’t store it. If you do, consolidate and isolate it.
It’s Not Just an IT Thing: The cardholder data environment is comprised of people, processes and technologies that store, process or transmit cardholder data. All too often, we get hung up on the technology alone as the solution to all our problems. To implement a strong and continuous compliance and security program, you must have executive business and IT sponsorship. The daily tasks that must be performed should be embedded in the overall security program and business practices. With the right executive sponsorship, security and compliance can become a streamlined process instead of a burden – and it’s also the responsible thing to do for your company and your customers.
Validate Your Service Providers and Vendors: You can’t outsource accountability. Ultimately, your organization is responsible for your PCI compliance. Good partnerships can certainly help you get there. However, it is your responsibility to validate your service providers and vendors. Depending on the services provided, their ability to demonstrate compliance will be critical for you to pass an audit. A good partner should be able to clearly delineate the lines of responsibility and make the due diligence process easy for their customers. Beyond compliance, many notable security breaches have occurred because a third-party vendor was compromised and utilized to access their target.
Continuous Monitoring and Reporting: An audit is a point-in-time activity; securing your environment is a 24/7/365 endeavor. Active security event monitoring, reviewing logs and real-time reporting are crucial in identifying security incidents and minimizing the impact. You can’t control what you can’t measure. While reports are crucial during an audit, they are also very important to continuously gauge the effectiveness of your program. Reports are the yardstick that lets you measure how you’re stacking up. In addition to making your auditor happy, strong reports help maintain executive sponsorship by demonstrating the results of their investment in the program to secure the network and exceed compliance.
With these concepts adopted, you're well on your away to PCI compliance.