PCI DSS Prioritized Approach to Compliance

pci 5In my experience, the final consideration before getting started need to be regarding a more prioritized approach to achieving my PCI Compliance. The PCI Standards Council have come under pressure to help entities prioritize their approach to PCI and as such the table with six security milestones that will help merchants and other entities incrementally protect against the highest risk factor and escalating threats while on the road to PCI DSS.

The prioritized approach and its milestones are intended to provide an overview, which includes the following benefits:

  • A roadmap that an entity can use to address its risks in priority order.
  • A pragmatic approach that allows for “Quick Wins”.
  • Promote objectives and measurable progress indicators.
  • Helps promote constency among QSA (Not sure when your QSA are full-time on your company when you build project PCI).
  • Support Financial and operational planning.

Milestone 1
Remove sensitive authentification data and limit data retention. The milestone target a key area of risk for entities that have been compromised.

Milestone 2
Protect the perimeter, internal and all networks (Wireless, Lan…). This milestone targets controls for point of access to most compromises – the network or a wireless access point on your CDE.

Milestone 3
Secure payment card applications. This milestone targets controls for applications, application process and applications servers. Weakness in this areas offer easy prey for compromise systems and obtaining access to cardholder data.

Milestone 4
Monitor and control access to your system. Controls for the milestone allow you to detect the who, what, when and how concerning who is accessing your network and cardholder data environment (CDE).

Milestone 5
Protect stored cardholder data. For those entities that have analyzed their business processes and determined that they must store Primary Account Numbers, Milestone Five targets key protections mechanisms for that stored data.

Milestone 6
Finalize remaining compliance efforts and ensure all control are in place. The intent of Milestone Six is to complete PCI DSS requirements and finalize all remaining related policies, procedures and process needed to protect your cardholder data Environment (CDE).

My tips:

Use the template from PCI Council easy and fun 🙂

pci 5

For more information download this template from PCI Standards Council directly