This is quick overview of major phases. Payment card industry data security standard (PCI-DSS) implementation and certification journey can be divided into the following key phases:

  1. Determination of applicability – Access of primary account number (credit card/debit card) information and sensitive authentication data. Do you store store, process, and/or transmit primary account number? If the answer to this question is Yes, PCI-DSS will be applicable, otherwise not. Each of the listed steps is relevant only if the above response is Yes.
  2. Scope definition – in this the scope begins at the firewall/network segregation. Your card holder information needs to be segregated and would require separation from rest of the network. The scope of the network then defines the processing infrastructure as well as applicable controls.
  3. Asset identification – asset combines teams and roles, application, network infrastructure, security infrastructure, internal and external service providers. Anything within your configuration scope that is used to store, process and/or transmit PAN.
  4. Risk assessment – PCI-DSS mandates risk assessment in alignment to either ISO 27005, NIST SP 800-30 or OCTAVE. Whichever methodology is chosen there has to be a quantitative and qualitative valuation of assets, threats, impacts, vulnerabilities and probabilities resulting in risk valuation for each asset, and one hand, and listing down asset-wise weakness on the other.
  5. Gap analysis against 217 controls. PCI-DSS is perhaps the most comprehensive security standard and therefore covers a wide variety of details. Some controls may not be applicable based on your assets and threats, but unlike other international standards (such ISO 27001) the opportunity of accepting residual risk is practically not possible. Here all the controls need to be implemented.
  6. Implementation – having identified gaps from the previous two assessment exercise of risk assessment and gap analysis, the journey of implementation should begin. The implementation journey involves decision, direction and documentation of security gaps, and implementation through policy, personnel, procedural and technical controls. In PCI-DSS some of the controls are very specific technical requirements, and therefore require configuration changes, and in certain cases an investment is necessary. Tracking of gaps and their implementation is along-journey and can be facilitated by team awareness of the PCI-DSS standards. Operational security responsibilities are much more stringent compared to other international standards.
  7. Internal audit – Final verification of control implementation by an independent team, this phase not only checks control implementation but also lifecycle changes.
  8. Final QSA audit– This is where the final certification/attestation takes place. Being a point in time certification, completeness of control implementation can facilitate faster certification.

The whole process can take anywhere between 2-3 months for a smaller organisation to 6-9 months for a larger organization.

Coral eSecure has successful implementation methodology which can help organization of any size and location reach compliance faster, and more comprehensively.

Hope this helps.

Author : Probal C