With PCI DSS v3.0 looming, there seems to be considerably more emphasis on organisations achieving PCI compliance. For most, this throws up a number of very important questions, especially for companies who have less internal resources. Where do I start, which self-assessment questionnaire should I complete and do I need a QSA? An obvious place to start is the PCI SSC website (https://www.pcisecuritystandards.org/). As you would expect, there is abundance of information here. However, is the information and guidelines outlined geared up for everyone? Especially for those organisations that do not have in-house compliance experience.
At Dionach we work with a large number of organisations who have a requirement to become PCI compliant. This includes those who have taken it upon themselves to be proactive and those who are being pressured from their merchants to evidence their compliance. Whatever the motivation is, there is one very important question that should be posed at the beginning of this process: “are we wasting our resources?”
The resources required to achieve PCI compliance are not insignificant. The costs of on-going compliance are not going to reduce with the introduction of PCI DSS v3.0 and its more stringent requirements centred on penetration testing amongst other things. The external consultancy costs are not the only factor to consider. The internal costs for managing, developing or documenting the policies and procedures also mount up, meaning compliance costs generally run into the tens of thousands of pounds.
After the decision has been taken that PCI compliance is required, the first requirement is to correctly identify the scope (all system components or processes which are connected to the transmission, processing or storage of cardholder data). As my colleague Bil advised in his blog in July (https://www.dionach.com/blog/pci-dss-scoping-challenges-around-network-s...), the need to correctly identify the scope associated with PCI is vital.
As with most self-certifying standards, the information provided to the merchants is taken at face value. As an officer of the company, prior to the final sign off, you are expected to have conducted the necessary checks and asked for evidence of your compliance. Remember, you are issuing a statement to your acquiring bank that your organisation is either storing or transmitting PANs in a secure way. Everything you are signing off is based upon the identification of scope.
Clearly the need to correctly identify your PCI scope is a key aspect of any compliance requirement. Surely the last thing needed by any organisation is to spend a considerable amount of resources on going through the motions and not actually achieving the identified goals, in this case PCI compliance. Should the worst happen and your organisation suffers a security breach and cardholder data is compromised, the cost of compliance is then wasted if the correct scope was not adequately identified in the first place.
Before you start filling out a self-assessment questionnaire, I would suggest that you engage with an approachable PCI QSA and if nothing else, correctly identify your scope. Ultimately, this may save your organisation a lot of wasted time and resources. Remember, If you consider the PCI scope as the foundation of your compliance, then you need to get it right to build your compliance program on top of it.