No matter where you are in your PCI compliance journey, you'll need a reference to help organize your thoughts and get headed in the right direction. We hope this article will serve as your “jumping off point” as you start to address the requirements of the PCI DSS.
Before diving into the PCI requirements, you will want to start by determining which SAQ applies to your business. While most requirements will stay the same, there are some differences in the work you’ll need to do based on your SAQ.
Top takeaway from this post: Keep a handy PCI requirement reference nearby to stay on track with PCI compliance and prevent a data breach. Download our PCI DSS compliance overview here.
Penetration Testing is an important aspect of PCI DSS compliance. Also known as “ethical hacking,” penetration testing is an in-depth process performed by a professional that
The Payment Card Industry Data Security Standard (PCI DSS) Requirement 11.3 requires both an internal and external penetration test, so most companies regularly receive penetration tests to comply with that requirement. But penetration testing isn’t limited to the PCI DSS. Any company can request a penetration test whenever they wish to measure their business security.
The time it takes to conduct a pen test varies based on the size of a company’s network, the complexity of that network, and the individual penetration test staff members assigned. A small environment can be done in a few days, but a large environment can take several weeks.
Top takeaway from this blog post: Professional penetration testing is not quick and easy, and businesses should avoid those who claim it is.
This post includes a downloadable PDF checklist with tips from SecurityMetrics’ certified Qualified Security Assessors (QSAs) to help your next audit go more smoothly.
QSAs at companies like SecurityMetrics to validate a merchant's compliance with the PCI DSS. These QSAs perform assessments (also called audits) on site. Depending on a business's PCI merchant level, they may be required to perform an audit. For example, level 1 merchants (process over 6 million credit cards per year) are required to pass an annual audit by a QSA.
No matter the type of business, whether a retail or service provider environment, similar problems materialize before or during an audit that ultimately slow audit progress. Aside from being experts on PCI DSS requirements, onsite PCI DSS auditors are attuned to quickly see the security problems in an environment.
Top takeaway from this blog post: If you plan and prepare for your audit all year, the audit itself will not be a horrible event.
An incident response plan is a documented, written plan with 6 distinct phases that helps IT professionals and staff recognize and deal with a cybersecurity incident like a data breach or cyber attack. Having and following a proper incident response plan can mean the difference between a business going under and staying afloat.
Recent cyberattacks, such as the ransomware infection experienced by the State of Louisiana in 2019, show that an organization can avoid disaster when they have a working incident response plan ready. Louisiana did not lose any data or pay any ransom money to hackers.
Properly creating and managing an incident response plan involves regular updates and training. This post will walk you through what you need to do and when.
Top takeaway from this blog post: A proper incident response plan is a make-or-break part of your cybersecurity arsenal.
Close security gaps and simplify PCI DSS compliance in 2020
SecurityMetrics' mission is to help companies close the gaps in data security and compliance in order to prevent breaches. However, data breaches do happen–so we encourage companies to take steps that will lower their potential data breach cost.
With these blogs, resources, and others like them, you can prepare your organization’s data security and PCI DSS compliance for 2020. A focus on policies, procedures, documentation, and data mapping will go a long way towards preparing your organization to protect payment card data before, during, and after cyberattacks.