5 Steps to Become PCI Compliant

If your organization handles any type of payment processing, storage, or transmission of credit card data electronically, you’ll be very familiar with PCI DSS (formally known as the Payment Card Industry Data Security Standard). This standard exists to protect debit and credit cardholder data from unauthorized access via data breaches, ransomware, and other security breaches. However, with the rise in these breaches also comes the rise in changes and rules to the PCI DSS.

For many organizations, achieving PCI compliance can be considered an unnecessary chore. However, getting compliant comes with several valuable benefits beyond just protecting your customers’ card data. It helps your business avoid heavy fines and lawsuits from impacted customers and 3rd party organizations, as well as reduces the total cost of any data breach. According to a 2021 report from IBM and the Ponemon Institute, the average cost of a data breach among companies surveyed reached $4.24 million per incident in 2021.

The latest version is PCI DSS 3.2.1. However, as the threat landscape continues to evolve, new controls will be added to mitigate the risks. In fact, PCI DSS v4.0 is scheduled for release in March 2022.

To ensure your organization meets the requirements of the current version of the standard, here are five steps you can take to address any risks and ensure your organization is PCI compliant:

1. Determine Your Scope: Carefully research all PCI requirements to determine which pertain to your organization. While this will take some time, it will make a big difference in the long run by saving you (and your Assessor) a significant amount of work at audit time or as you’re completing your self-assessment questionnaire (SAQ).
2. Minimize Your Scope: There are several things your team can do to minimize the risk to your payment card data and devices, including installing firewalls to limit access to your Cardholder Data Environment (CDE), encrypting all payment card data, and disposing of all cardholder data promptly and effectively.
3. Determine How Well You Meet Applicable Requirements: Always examine each item on your list of relevant PCI directives and ask, “How well does my organization comply?”
4. Test All CDE-related Controls: Your evidence must always be current. So, even if you have done it before, you must test each control regularly.
5. Gather Your Evidence: Having documentation of your compliance efforts and results on hand will save your auditor time and work and save your enterprise money.

As the release of v4.0 may introduce additional steps to ensure compliance, it’s critical to be aware of any changes as they are introduced.

We will be tracking the evolution of the standard and will publish an update once we have more details. To ensure your organization has time to understand and implement these new controls, contact us to discuss your compliance needs.