PCI POLICIES & PROCEDURES
A large part of PCI DSS is based on having strong policies and procedures. In many instances, organisations may have working practices that fit with PCI DSS, however, these processes are frequently organic and not shared amongst the organisation at large.
To become PCI DSS compliant and reduce the risk of card fraud, organisations need to document the working processes, document the security technology and document the card data flows that exist within the environment.
Once many of these elements are documented they need to be communicated to the organisation at large. Through strong documentation and improved staff awareness, organisations will be able to reduce their risk and maintain a posture that is more consistent with the PCI DSS.
What Policies And Procedures Are Needed To Comply With PCI DSS?
The simple answer is that it depends on how you process card payments, and which PCI DSS requirements are applicable. A common approach to implementing the various policies and procedures mandated by PCI DSS is to buy a ‘PCI in a box’ solution, a series of highly templated policies into which you simply enter your organisation’s name.
The problem with this approach is it never works, and you’ll quickly realise that the templated policy doesn’t align with how you actually work. Worse still, templated policies usually contain a lot of requirements and rules that simply won’t apply to your organisation – and we frequently work with organisations who have taken this approach and implemented unnecessary and unhelpful working practices as a result.
We Do Things Differently
One size really does not fit all, and our team can work with you to create a set of policies that both meet the requirements of PCI DSS and are practical and tailored to your organization. LRQA Nettitude has extensive experience in helping our clients create and implement policies, standards, and procedures.
Our approach is to work with you to understand your organisation and produce documents that are bespoke and not only support compliance, but actually improve your overall security posture. Implementing effective policies and processes to support PCI DSS compliance doesn’t have to be complicated, and if approached correctly, can have benefits way beyond PCI DSS compliance.
Our practical approach is based not only on a deep understanding of PCI DSS but wider information security experience, this means we can work with you to:
- Create policies that are tailored to support your organisation, and not just there to tick boxes
- Design and document processes that reflect the reality of how you work
Get in touch today to discuss how LRQA Nettitude can help you remove unnecessary complexity from your PCI DSS policies and procedures.
Frequently Asked Questions About PCI DSS Policies and Testing Procedures
What qualifications are required to carry out PCI DSS testing?
Security companies like LRQA Nettitude need to be certified by PCI Security Standards Council (PCI SSC), an international organisation that enforces data security standards to ensure payments are made safely. To perform PCI DSS assessments and provide Reports on Compliance (RoC), security companies need to be deemed as PCI DSS Qualified Security Assessors (QSA). In order to be a PCI DSS QSA, candidates need to meet all the requirements such as attending training courses, obtaining qualifications and successfully completing assessment simulations.
What is LRQA Nettitude’s PCI DSS testing procedure?
PCI DSS compliance requires that over 300 requirements be met. LRQA Nettitude ensures companies comply with these to meet PCI DSS. Our PCI DSS testing procedure involves three distinct phases: PCI gap assessment, PCI card discovery services and specific PCI services.
In a PCI gap analysis, a merchant’s policies and processes are assessed and compared with the PCI DSS standards. A report detailing how gaps can be bridged is then provided and a project plan developed. PCI card discovery services identify all areas within an IT system that stores card data and LRQA Nettitude then recommends methods to manage them. Specific PCI services provide focused consultancy to companies who have already done a gap analysis.
What happens if companies don’t comply with PCI DSS?
Failing to comply with PCI DSS could mean serious consequences for merchants. You will not be able to process payments, you might face fines from the bank, GDPR and DPA in the event of a breach, and you will have your credibility tarnished. With LRQA Nettitude’s risk assessments, you can ensure your company complies with PCI DSS so you will be able to avoid these issues. Keep your cyber environment safe from threats, and give your customers peace of mind when they do business with you.