With PCI-DSS fast approaching its deadline for the compliance adherence, most of the organizations are putting their act together to meet the compliance requirements. But there lies a challenge to look for the right approach therein. The consultants/implementers/maintainers are often dwindling about what approach to take in this area. Various vendors are pitching for their products and many are claiming to achieve the same through technical deployments. But following questions stand by with us –
- Will technological deployment only help achieve the results as required and desired?
- Will it not be a piecemeal approach to plug the issues with what we see as the right requirement for each of the areas as stated above?
- Will we be able to work towards integrating these distinct products and technologies together to achieve the required output?
- What effect changes in the architecture and infrastructure would have on the other Compliances as ISO 27001, SOX etc.
There are many such other questions that would always be hovering around in our minds for us to answer and act upon. However, whatever the approach be the steps to PCI-DSS compliance must focus on the following –
- Highly Sensitive Payment Card Information stored in business databases
- Identification of all systems within the organization where Payment Card Information is stored
- Legacy systems not supporting the PCI DSS requirements for encryption
- Access to payment card information to large no. of business users
- Log Management and Monitoring
- Data Classification and Handling
- Access Management on various systems and devices
- Information Security Policies and Procedures
- Periodic vulnerability assessment and penetration testing
- Segregation of Duties among Production, Development and Testing Teams