The 3 Biggest Reasons Why PCI DSS On-site Assessments are an Organizational Nightmare <br />Are you a merchant or service provider that's been through an annual on-site assessment by a Payment Card Industry Qualified Security Assessor (PCI QSA) or are looking to achieve compliance with the Payment Card Industry Data Security Standards (PCI DSS) initiatives in the near future? Looking to avoid having your PCI engagement turn into a nightmare? If so, take note of the experiences and first-hand accounts from a Qualified Security Assessor who's worked with numerous companies regarding PCI on-site assessments.<br />PCI DSS compliance is fast becoming one of the most widely recognized compliance initiatives around the globe, and for good reason. If your organization, which is traditionally defined as a merchant or service provider in the world of PCI compliance, is directly involved in the processing, storage, or transmission of transaction data or cardholder, then without question you are a candidate for PCI DSS compliance. <br />But how difficult can PCI compliance be? After all, you simply follow the prescribed matrix from the PCI Security Standards Council, implement the requirements and "
check the box"
, right? Wrong. On-site assessments turn into engagements of nightmarish proportions because personnel involved within the assessment itself fail to effectively plan and strategize for the following 3 key areas.<br />A PCI DSS Readiness Assessment<br />You need to crawl before you walk, and with that said, successful PCI DSS engagements can only be achieved when you undertake an actual PCI DSS Readiness Assessment. Crucial to the overall on-site assessment, a well-planned and executed readiness assessment effectively defines scope, personnel, while helping to create a gap analysis for areas that need remediation. Make no mistake, when a PCI DSS Readiness Assessment is done correctly, EVERY company will have a marginal to meaningful amount of remediation to conduct. <br />Policies and Procedures<br />As a Qualified Security Assessor, I can't tell you how many times prospective or actual clients would ask, "
Where can I find policy and procedure templates"
how much do you charge to write them, because we just don't have the time"
. The point is that developing policies and procedures for PCI DSS compliance is often one of the most time consuming aspects of the engagement itself. Shocked at that statement? You shouldn't be. Read through the PCI requirements matrix lately? I've counted approximately three dozen “tests” throughout the 12 functional PCI requirements that call for a documented policy or procedure. My advice is to find a reputable vendor that provides policies and procedures (they’re out there, just search for PCI policy templates) or have a Qualified Security Assessor provide you a set of quality, cost-effective templates.<br />Unexpected Operational Time Commitments<br />Familiar with two-factor authentication, a web application firewall (WAF), or file integrity monitoring (FIM), just to name a few catchy PCI phrases? If not, and you’re considering tackling PCI compliance, then you need to invest considerable operational time commitments into implementing many of the tools and appliances required by PCI. And here’s what’s interesting-many of these tools can be had via open source-requiring minimal costs to obtain usage rights for them. Thus, it’s generally not the financial costs to obtain these tools that cause significant strains on PCI engagements, rather, the unplanned operational time commitments in provisioning and hardening these tools within the cardholder data environment. <br />PCI DSS on-site assessments simply take time. You need to effectively plan for undertaking a Readiness Assessment, developing policies and procedures, and spending considerable resources in implementing, configuring, and hardening system devices within the cardholder data environment.<br />Contact Charles Denyer, a PCI QSA, directly at 800-277-5415-extensiton 705 or email at firstname.lastname@example.org to discuss your compliance needs.<br />