PCI DSS Projects – Are there shortcuts?
The truthful answer is NO.
That said, there are many best practices methods that allow a structured approach for a successful PCI DSS project and a successful audit. For instance, don’t go out on a shopping frenzy of sexy technologies.
First, form an educated work plan to point exactly which technologies you need to support your business needs. DLP, NAC, SIEM/SOC, IDM, electronic vaults and more sounds really cool to have but they are not always necessary for meeting PCI DSS requirements, despite what some enthusiastic vendors might claim. All of these are excellent products to have and are very much needed in order to keep up a good security practice going on, but the choice whether to implement those or not shouldn’t be only about PCI DSS but should derive from the organizational unified information security policies and business goals.
Secondly, and before embarking on this voyage, choose your resources wisely and hire a QSA to partner up with you for the duration. Experienced QSA will guide the organization safely through risk based approach and will assist you in taking the right decisions.
Remember – compliance means that security becomes a fundamental perspective; therefore compliance should be maintained constantly. This realization needs to seep through all layers of the organization and to allow complete acceptance of this project and ample resources for dealing with the challenges that arise along the way.
Thirdly, make sure you guide the process and don’t be guided by it or by external factors such as: exuberant vendors that are out to make a sale, local acquiring banks that only care about submitting nice and tidy excel sheets to their local payment brands or internal enthusiastic security staff that are harnessing the PCI DSS opportunity in order to promote other (and sometimes very important although not entirely PCI related) security agendas.
Lastly, use the prioritized approach formal road map guide for managing your internal PCI DSS projects and to help you navigate the PCI DSS maze. The PCI SSC Prioritized approach presents a formal roadmap for managing the standard and its implementation the right way. It also directs the organization to work with risk base approach and addresses the most critical and burning issues first.
Ben Ben Aderet – Co Founder of GRSee Consulting