PCI Compliance: Readiness Assessment

By Jane Laroussi, CISSP, QSA

This is the fourth of a six-part blog series about PCI compliance.

Thus far in this series, we’ve set the stage for achieving PCI compliance. In Part 1, we listed and defined PCI-relevant terms; in Part 2, we discussed how to determine and minimize your scope of compliance; and in Part 3, we reviewed and explained validation and reporting requirements.

With that information nearby, we’re ready to get into the real work of complying with PCI standards, beginning with a PCI readiness assessment. 

Identify and Address Issues in Advance

A PCI readiness assessment, also called a gap assessment, helps merchants and other businesses prepare for a formal PCI compliance assessment; it’s a chance to identify and address any issues before they’re flagged during the official review. Generally, merchants or businesses enlist third-party PCI specialists to conduct a readiness assessment, find any deficiencies, and offer recommendations for remediation. 

Readiness assessments help ensure all necessary technical and policy components are established and the appropriate security controls are in place, to hopefully lead to an efficient and successful formal PCI review. Just like a dress rehearsal helps performers gear up for a live show, a PCI readiness assessment will prepare your business for a (hopefully) painless PCI standards assessment, and set you up for ongoing compliance.   

6 Questions to Ask Before a Readiness Assessment

A formal PCI compliance review involves the discovery and review of all the security requirements listed by the PCI Data Security Standard; the readiness assessment, then, makes sure you’re appropriately meeting all of the current requirements (which are updated every three years). 

You can spend as much time reviewing the PCI DSS standards as you like (there are many specific requirements that PCI specialists will review and confirm during the assessment), but below are six questions think about in preparation for a PCI readiness assessment.

  1. Are you maintaining a secure network? Check your firewall and update if needed, maintain strong authentication controls, and consider data encryption.  
  2. Are you properly protecting cardholder data? To start, review where and how you’re storing cardholder data, and confirm if you’re encrypting the transmission of the information.   
  3. Are you maintaining a vulnerability program? If applicable, you’re required to use and regularly update anti-virus software and to maintain secure systems and applications.  
  4. Are you implementing strong access control measures? You should be restricting business access to cardholder data, and if you have multiple employees with computer access, they should have unique user credentials.  
  5. Are you regularly monitoring and testing networks? If you haven’t been doing this, make it common practice to track and monitor all access to network resources and cardholder data, and to regularly test your security systems. 
  6. Do you maintain an information security policy? Make sure you have a comprehensive policy in place that addresses information security for all of your staff and personnel. 

Depending on your Cardholder Data Environment (CDE), you might find that not all of the PCI requirements apply to your situation, or your might find you have components that need controls to comply with PCI requirements. But, generally, all merchants and businesses should think about the questions above to protect cardholder data. 

Revisit Scope during a Readiness Assessment

As can happen, a readiness assessment might reveal your CDE has a very large scope of compliance—you’ve got many connected components that then require many controls and policies to meet PCI standards. The assessment, then, can prompt an organization to review its scope and consider ways to minimize its scope (as we’ve discussed before, like segmenting networks or outsourcing payment processing). 

There are two advantages to reviewing and minimizing your scope during the readiness assessment. 

  1. By removing certain components from your scope, those components are no longer part of your CDE and are not subject to PCI compliance. You essentially shorten your path to PCI compliance. 
  2. Reducing scope lessens cardholder data exposure, overall; with fewer components that store, process, or transmit cardholder data, you reduce the risk of a data breach and improve cardholder data protection.  

What Carson Inc. can do for you

It’s critical that your business fulfills its annual PCI reporting requirements; to guarantee your reports are completed timely and properly, it makes business sense to partner with an industry expert. Carson Inc. has completed the PCI Security Standards Council QSA qualification process and can provide PCI readiness assessments to help you comply with the PCI DSS. Our trained professionals understand the standards and can help identify and resolve any issues in preparation for your formal review. 

Carson Inc. is poised to help your company manage data security risks, evaluate the security of your systems, and ensure total compliance. We’ll prepare the documentation required by the major payment brands and help your organization meet the specific reporting requirements for PCI DSS compliance.

PCI Compliance Series