I had followed theses 9 steps for build my compliance in this last year. I think it’s a good approach for big processor and all PSP.
- Establishing the PCI Project (Actors, budget…).
- Determine the scope (CDE).
- Review the information Security Policy (ISP or PSSI for french people).
- Conduct Gap Analysis.
- Conduct Risk Analysis.
- Establish the baseline and sharing it !!!
- Auditing
- Remedation planning
- Maintaining and desmontrating Compliance.
Don’t forget if your company (CEO, COO, CTO and all people) don’t support this, you don’t successfully the certification. PCI DSS is not infrastructure or Security project. It’s a Strategic business project.