PCI Compliance: How to Develop a Remediation Plan

By Jane Laroussi, CISSP, QSA

This is the fifth of a six-part blog series about PCI compliance.

In recent weeks, we reviewed and explained PCI validation and reporting requirements, and we discussed the value of a readiness assessment before an official PCI review.

As we discussed, a readiness assessment serves as a “dress rehearsal” for a formal PCI review. If a QSA identifies compliance issues during the readiness assessment, you may be able to address some of those issues by reviewing and minimizing your scope of compliance, but existing issues will have to be properly remediated to comply with PCI DSS standards.   

Follow Recommendations from the Readiness Assessment

After a QSA has conducted a readiness assessment, the assessor can work with your organization to:

  • identify and explain any existing gaps in compliance;
  • develop a remediation plan, including technical fixes and policy and procedural updates; and
  • recommend tools or third parties that can help complete necessary technical and policy work.

The final note is important, because due to strict requirements regarding “separation of duties” enforced by the PCI Security Standards Council, a QSA cannot conduct “hands-on” remediation efforts to fill gaps identified in the readiness assessment. The QSA can recommend another party that can complete remediation efforts, before the QSA conducts the formal PCI assessment. 

An 8-Step Approach to PCI Remediation

  1. Plan ahead. Remediation efforts can be time-consuming and arduous for all parties involved; with the gaps in compliance identified, it’s important to outline and agree on a manageable remediation plan at the start.
  2. Get organized. It’s recommended to group your remediation tasks into specific categories; the two primary categories being technical and policy/procedural (you might have to configure servers and the underlying operating systems and applications that reside on them; you might have to write and develop new policies and procedures, etc.)
  3. Assign responsibilities. Determine the parties responsible for the ownership of all remediation efforts, and when you consider what needs to be done to get these areas compliant, identify if you need additional tools or extra personnel to complete certain tasks.
  4. Consider remediation tools, services. Your QSA can help you identify various open-source products or information-security policy templates to assist with remediation efforts. Also, it’s always smart to outsource efforts to specialists that can implement various technical updates and develop policies and procedures.
  5. Remediate! Set a time frame for remediation efforts and get to work. Firm up your network, finalize your security documentation, and get ready for the QSA review.
  6. Confirm and test. We’ll talk more about this in the next and last part of this series, but it’s always worthwhile to test all of your in-scope components and ensure that they meet PCI requirements. 
  7. Bring in the QSA. You’ve acted on the recommendations from the readiness assessment, so this should be a straightforward exercise and have you in line with the PCI DSS.
  8. Stay PCI compliant. Going forward, assign roles and responsibilities to maintain compliance; check your systems on a regular basis and schedule ongoing policy and procedure reviews. 

What Carson Inc. Can Do For You

It’s critical that your business fulfills its annual PCI reporting requirements; to guarantee your reports are completed timely and properly, it makes business sense to partner with an industry expert. Carson Inc. has completed the PCI Security Standards Council QSA qualification process and can make recommendations for remediation, conduct various remediation efforts, and connect you with third parties to complete technical updates, to ensure you comply with the PCI DSS. Our trained professionals understand the standards and can help identify and resolve any issues in preparation for your formal review.

Carson Inc. is poised to help your company manage data security risks, evaluate the security of your systems, and ensure total compliance. We’ll prepare the documentation required by the major payment brands and help your organization meet the specific reporting requirements for PCI DSS compliance.

PCI Compliance Series

Part 1: “What is PCI Compliance?
Part 2: “Scope
Part 3: “How to Complete Reporting Requirements” 
Part 4: “Readiness Assessment
Next week: PCI Scanning and Penetration Testing