This is the twelfth blog in a 12-part series addressing each PCI DSS Requirement and the challenges faced by companies going through this process. To view the previous posts in this series, click on the appropriate links below:
PCI Requirement 1 - Defending the Wall
PCI Requirement 2 - Change Your Defaults!
PCI Requirement 3 - Don't Store Cardholder Data!
PCI Requirement 4 - Hide in Plain Sight!
PCI Requirement 5 - Update and Scan
PCI Requirement 6 - Patches and Scanning and Coding, Oh My!!
PCI Requirement 7 - Thou Shall Not Pass!
PCI Requirement 8 - Identify, Authenticate, and Authorize
PCI Requirement 9 - Lock the Doors and Don't Forget the Windows Too!
PCI Requirement 10 - Big Brother is Watching!
PCI Requirement 11 - People, Policies, and Processes Time!
Requirement 12 lays out the requirements to build out a security policy by establishing it, publishing the policies, maintaining the policies, and disseminating them to all personnel involved in the PCI program. Risk assessment processes are brought forth in requirement 12 as well, and the PCI Security Standards Council states these assessments must then be conducted at least annually. The risk management area creates a challenge to many companies I will touch on below. Awareness training, delegation and documentation of the security roles and responsibilities within your organization, and incident response are large parts of a quality information security program. Users and employees are and always will be the biggest threat to any environment. Thus, security awareness training is so critical and often pushed off or brushed up on very lightly in many companies. The PCI Council has required training for years and organizations should take notice and implement a continuous program for awareness training, not just for cardholder data, but for all activities. Assigning information security management responsibilities is often overlooked in smaller environments with limited staff. This presents a great opportunity to identify who may be up for that role on your IT Staff and allow them to grow and drive the security program. We often see this role as the Information Security Officer, or ISO. Requirement 12 is very much a documentation and process related area and less technical than some others.
Companies that require PCI Compliance face some familiar challenges within requirement 12:
Compass IT Compliance is well versed in the PCI compliance space and can help your company with a risk assessment to determine what you need to do to comply with PCI.
These challenges are just some of the areas within the PCI DSS requirements that many of our client’s face. Another area where our client’s experience challenges is keeping track of the various requirements that must be completed on a quarterly, semi-annual, and annual basis for PCI Compliance. Therefore, Compass IT Compliance has created our PCI Compliance checklist, one for service providers and one for merchants. This simple, easy to use checklist gives you the PCI requirements, what you must do to achieve/maintain compliance, and how often you need to complete each requirement. To download your copy today, click on the button below!