March 26, 2010

Undergoing a PCI Assessment – How to Prepare

Undergoing a PCI assessment can be a painful process. By taking steps to ensure your
organization is properly prepared, you can minimize the level of effort necessary
to complete your assessment.

Reviewing the PCI DSS

The first step in preparing for a PCI assessment is becoming familiar with the PCI
Data Security Standard. The most recent version of the standard is freely available

Reading through the PCI Data Security Standard can be challenging. There may be areas
where clarification will be needed. It is crucial that you establish an open line
of communication with your PCI Assessor. They will be able to clarify how or if certain
requirements will apply to your environment. Additionally, while the PCI DSS itself
is released on a biennial basis, there are frequently updated FAQ’s and interpretation
of requirements that your PCI Assessor will be able to guide you through.

It is important to understand that while changing interpretations of requirements
may seem to be creating an unreachable “moving target,” they are necessary. Changes
in interpretations often occur as a direct result of trends seen in credit card compromise
forensic investigations. Quickly releasing an entirely new standard would be infeasible.
However adjusting interpretations of requirements, or releasing an updated FAQ to
address a newly found risk to cardholder data security, provides a way to more swiftly
adjust the industry to address the new found security risk.

Identifying cardholder data flow

The next step in preparing to undergo a PCI DSS Assessment is to identify your flow
of cardholder data. In some environments, particularly with PCI Service Providers,
your cardholder environment may be contained in a colocation facility. However in
many merchant environments, the flow of cardholder data may be very complex.

In trying to identify your cardholder data flow, it is important to engage individuals
from varying business units. There are frequently times where cardholder data may
be flowing to an individual outside of the business units typically interacting with
cardholder data. These individuals may be running reports, or performing data analysis
that other users may not be aware of. It is important as you identify the flow of
cardholder data to begin thinking of how to create “boundaries” around this flow.
This may entail engaging your IT staff, but the more compartmentalized your cardholder
environment is, the more you will be able to reduce the systems you will have in “scope”
to be assessed.

The process is typically not a quick one. But the more time spent clearly identifying
where your cardholder data flows, the better you will be able to explain it to your
PCI Assessor, and the smoother your PCI Assessment will progress.


The PCI DSS requires a significant amount of documentation be in place for compliance.
While your organization most likely already has existing policies and procedures,
unless they were specifically developed with the PCI DSS in mind, they most likely
will need to be adjusted. Frequently there are areas where an existing PCI compliant
procedure is in place, however there is no supporting policy governing the procedure.

Where possible, reviewing this documentation with your PCI Assessor prior to the onsite
visit, will streamline your overall PCI Assessment process.

Utilize your PCI Assessor

Your PCI Assessor is an invaluable resource when approaching your PCI Assessment.
Leverage their knowledge and experience when trying to determine the best course of
action to meet a particular requirement.

Establishing a good line of communication with your PCI Assessor is critical. They
will ultimately be the person who interprets your compliance with each requirement.
Understanding what they feel is necessary to meet each requirement will greatly benefit
everyone involved. By setting proper expectations, you can ensure that all parties
are on the same page. This will allow for fewer surprises as the PCI Assessment proceeds.

By taking the proper steps in preparation, undergoing a PCI Assessment can be streamlined
to ensure the most effective use of resources and effort. When the dust settles, even
though it was a long road, your organization will be more secure and be able to continue
to protect the cardholder data that it has been entrusted with.