Compliance
Ask the Expert: How Can I Assess Compliance with PCI DSS?
If your business accepts major credit cards, you have to be PCI DSS-compliant. But what is PCI DSS, what does it mean for your organization’s security, and how can you easily validate your compliance with the standards?
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes.
If your organization processes, stores, or accepts credit cards from the major credit card brands, you must comply with the PCI DSS. While the PCI DSS isn’t mandated by law, it is required by the credit card brands themselves, who formed the Payment Card Industry Security Standards Council (PCI SSC) and released the standards in 2004 to combat credit card fraud.
The standard comprises both cyber and physical security requirements. Access control, cameras, footage retention and other well-defined criteria are included in the PCI DSS. If a company is out of compliance, they can be hit by costly penalties, and potentially suffer legal woes.
Need help with risk assessments? Contact us now for a demo.
How is PCI DSS assessed?
There is more than one way of validating PCI DSS compliance. PCI is assessed either through self-assessment, qualified external assessors, or qualified internal assessors, depending on how many credit card transactions an organization conducts.
While organizations often have a system in place to assess the cyber requirements, we have found that the physical PCI requirements are still using paper checklists. Paper-based assessments are limited, however.
For one thing, conducting an assessment with a paper checklist can be clumsy. Walking around a site, scribbling notes in the margins can cause confusion later when the assessor writes their report.
For another, it’s difficult to get actionable data out of a paper checklist. If an organization needs to be able to see the compliance levels of more than one site at once, track changes in compliance, or wants to quickly show an executive a comparison of all sites, that’s hard to do with paper-based assessments.
One key element is your remediation process. Once you identify a deficiency or vulnerability, what happens next? How do you track issues all the way through to remediation? Having a project management system to monitor your gaps and validate remediation is a fundamental step in maintaining compliance.
That’s where digital assessment makes a difference.
How can PCI DSS validation be updated?
By using a digital platform to conduct assessments, organizations are better able to monitor compliance across several sites, and track remediation. The dashboard of a platform, for example, can offer security officials side-by-side data for different sites.
Such a tool can also help companies track equipment like cameras or door locks, and prioritize the deficiencies that need to be corrected across several sites.
Circadian Risk’s Risk Analysis Tool is a digital assessment tool that lets your assessors create their report as they assess physical security at a site. By using their device to take photos, and geolocation to tag the photos to locations on a floor plan, the assessor is collecting all their information in one place. When answering questions, standards cards are available within the platform so that your assessor can read excerpts from the standard itself and give a more informed answer. By having all your tools in the same platform, you can give your team, and leadership a more complete and nuanced view of your compliance with PCI DSS.
Ready to change the way you assess your sites? Talk to us now about assessing your security.
About the Author
