The PCI DSS is a set of 12 high-level requirements and about 250 (depending upon how you count them) sub-requirements that outline controls all companies which must comply with the standard are required to implement to protect cardholder data. Since first helping to write the PCI DSS’s predecessor (Visa’s CISP) in 2001, I have watched the document grow from 9 pages to 75 pages today.
Many companies struggle to keep up with the changes within the PCI DSS, and those who do often struggle with the nuances and cross references. To see the challenges with keeping abreast of the PCI DSS, just take a look at the “Summary of Changes” document on the PCI SSC’s website. In that 20-page document there are over 220 documented changes from version 1.2 of the standard to version 2 alone!
Staying on track
I have had opportunity to work with hundreds of companies on PCI DSS assessments, training, and preparation. I have also trained over 10,000 people worldwide on the PCI DSS while a QSA trainer and official PCI trainer for Visa. Experience shows that companies that establish a structured, systematic project plan consistently move through PCI DSS compliance more efficiently and more cost effectively.
Unfortunately, the PCI DSS provides many opportunities to get off track. Simple mistakes in interpretation or understanding can result in the inefficient use of time, energy and resources (money). This can happen when companies inefficiently pursue controls that are not required.
One example that seems to arise with some frequency is that of encryption. Recently, I listened to a very well respected QSA from another company state with absolute confidence that: “Encryption of cardholder data at rest is required to comply with the PCI DSS.” This is a common but incorrect misstatement of the requirement. PCI DSS requirement 3.4 does not state that encryption is required; it lists encryption as one option, but there are other methods to render data unreadable. This may seem minor, but this particular requirement can have significant implications for companies pursuing PCI DSS compliance.
Get trained on the standard
For those companies pursuing PCI DSS compliance, the best first step is to obtain comprehensive training on the standard. A QSA firm that knows the PCI DSS and implications well enough to provide professional training can guide you through the process.
More importantly, PCI DSS training helps get everyone on the same page, ensuring all team members understand the requirements, their intent, and how to implement controls consistent with the requirements. Finally, training will enable your company to demonstrate ‘buy in’ and commitment from management for the compliance project. Often this is the difference between employees feeling forced to undertake a difficult project and feeling like they are part of an organizational effort to improve security.
When evaluating training vendors here are a few items you should consider:
1. PCI DSS Expertise – Does the trainer possess real world, hands-on PCI DSS experience and expertise?
2. Training Experience – Many people have knowledge of the PCI DSS. Does the person conducting the training have experience delivering highly complex training to large groups of people? How many people have they trained and to what type of personnel (e.g., Management, technical, etc.)?
3. Card Brand Experience – The PCI DSS is an industry standard, but the card brands (Visa, MasterCard, etc.) enforce compliance. There are a number of operating regulations with which the companies must comply. Without relevant card band experience, it will be difficult for a trainer to answer some of the more difficult questions, such as: “Why do we have to comply?”
4. Finally, ask to hear a sample of demonstration of their training. PCI DSS is a complex and dry topic. Having a trainer that is dynamic and knowledgeable will ensure that information is retained.