Why IT Managers do not like PCI Assessments

What is PCI Compliance?The Payment Card Industry Security Standards Council (PCI SSC) is the governing body responsible for creating and enforcing compliancy using a set of security standards known as the Data Security Standard (DSS). PCI DSS ensures all companies of any size that accept credit card payments and/or store, process, or transmit cardholder data maintain a secure environment. Verifying a company is PCI compliant is performed by a Qualified Security Assessor (QSA).Meeting PCI compliance the hard way:Managers that have been tasked with their first PCI compliance requirement typically do not understand what is involved from a time perspective, what the requirements are to meet compliancy, what PCI level their company falls in, who to turn to for these answers and how much will it cost. To make matters worse, when the request to be PCI compliant is made (usually from the bank that processes the credit card or a customer that you may be a vendor to) it can be as vague as stating you need to be PCI compliant with no further instructions. Unless managers understand what it takes to be PCI compliant, using google to search on achieving compliancy does not really yield the results needed. The PCI SSC web site can point one to the companies who are qualified to perform PCI assessments but how does the manager know which one to go with? What is the criteria for selecting the right company to perform a PCI assessment or consult with you on what is required to meet PCI compliancy?Meeting PCI compliance the easier way:Before you even pick up the phone or send that email looking for a perspective company to perform a PCI assessment or to seek guidance on compliancy, have the following minimal requirements completed or in place:

• You have performed a risk assessment.
• You have a vulnerability management program in place that scans for vulnerabilities on a quarterly basis for external and internal systems/devices that handle credit card payments and/or store, process, or transmit cardholder data. Also, scanning external devices/systems must be performed by an Authorized Scanning Vendor (ASV).
• Have the ability to demonstrate any identified critical or high vulnerabilities have been remediated.
• Have your all your security policies defined and in place.
• Depending on you PCI level requirements, have performed an annual penetration test.

These are the bare minimal requirements of PCI and until they have been implemented or are in place, you will not be deemed PCI compliant. And last but not least, when selecting a company to partner that provides PCI services, look for a company that clearly identifies their methodology on how they will get you to compliancy. A company that will work with you from start to finish rather than just sending a QSA that dumps a list of requirements on you, goes away, then comes back expecting you meet all the requirements.For the manager seeking first time PCI compliancy, it can be a daunting task that seems impossible to complete. If you follow the steps outlined in Meeting PCI compliance the easier wayand the recommendation on selecting a company that provides PCI services, you will find achieving your PCI goals are much easier and a less costly endeavor.Contact NetWorks Group