How Do I Become Compliant with PCI?

by Sarah Harvey / August 19th, 2016

Becoming PCI Compliant for the first time can be an overwhelming undertaking if you are unsure of where to start. With approximately 394 controls, this comprehensive data security standard can be a large undertaking that is best tackled with expert assistance.

The first step towards achieving PCI compliance is to have a Gap Analysis performed by a PCI expert. Working with a PCI expert will help you to understand all of your business processes and understand how PCI compliance impacts your unique business organization. Your PCI expert will work through each of the requirements with you, how they relate to your business, and allow you to see how your current security posture will stand up to a PCI audit. The Gap Analysis process will uncover any missing pieces you may have in your security, and leave you with a list of recommendations that you can spend time remediating to ensure that you have everything in place you need to pass your PCI audit.

Once you’ve completed the remediation process, it’s time to reconnect with your auditor to being the PCI audit process. Your PCI auditor will work with you through each of the PCI audit requirements, gather all of the necessary evidence and collect all documentation to complete the PCI assessment process for you. Compliance with the PCI DSS means compliance with all of the requirements, which are divided into the following 12 requirements:

The 12 PCI Requirements

  • Requirement 1: Install and Maintain a firewall configuration to protect cardholder data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks
  • Requirement 5: Protect all systems against malware and regularly update anti-virus software programs
  • Requirement 6: Develop and maintain secure systems and applications
  • Requirement 7: Restrict access to cardholder data by business need to know
  • Requirement 8: Identify and authenticate access to system components
  • Requirement 9: Restrict physical access to cardholder data
  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes
  • Requirement 12: Maintain a policy that addresses information security for all personnel

Once the audit process is completed, you will receive your PCI Report on Compliance, or ROC, that demonstrates to your clients your compliance with the data security standard. If you’re ready to start the journey towards PCI Compliance, don’t hesitate to contact a PCI Qualified Security Assessor (QSA), like KirkpatrickPrice, to help you through the process, and eliminate the stress of a PCI audit and be confident you will receive your PCI Report on Compliance.

We get a lot of questions about how do we become PCI compliant? So that process will begin with a Gap Analysis, and that Gap Analysis is going to be one of our PCI Experts spending some time with your organization, coming to an understanding of what it is you do to make money and how PCI compliance impacts your business, talking through your business processes, gaining a firm understanding of your technology platform, and how that supports your business. Then, working through each requirement, all of the nearly 300 requirements, helping you to understand what those requirements actually mean in your business.

The conclusion of the Gap Analysis process, you’ll end up with a list of things that you will need to work on to make sure that you have everything in place to pass the audit. Then you’ll step away and you’ll work on those remediations. When that is done, we’ll come back with our auditor and work through the audit process to gather all of the evidence, collect all of the documentation and complete the assessment process for you. When that is all done, then you will have your Roc (Report on Compliance), your attestation of compliance and you’ll be able to demonstrate to anyone who’s asking (whether it’s a card brand or your largest customer, or anybody really who is asking for your PCI compliance status) you’ll be able to provide them with that documentation.