Lecture_245

pdf

School

University of Toronto *

*We aren’t endorsed by this school

Course

568

Subject

Information Systems

Date

Dec 6, 2023

Type

pdf

Pages

2

Uploaded by ColonelOysterMaster630

Report
225 DOI: 10.1201/9781003100300-15 Managing a PCI DSS Project to Achieve Compliance Information in this chapter: Justifying a Business Case for Compliance Bringing the Key Players to the Table Budgeting Time and Resources • Educating Staff • Project Quickstart Guide The PCI DSS Prioritized Approach • The Visa TIP • Summary You have determined that your organization needs to comply with the Payment Card Industry Data Security Standard (PCI DSS) and, looking at the requirements, you are not sure where to start. Should you jump in and go through the 12 PCI DSS requirements and relevant Appendices linearly one at a time, documenting all of your requirements as in place? Or should you first figure out at what level you need to validate your compliance? How will you make sure that your fellow associ- ates are on board with the changes you are proposing so that you can effectively and efficiently comply with PCI DSS? Is senior management behind you? How about the IT department that will actually be doing most of the work? How will you make the compliance effort come together? After putting the plan together, how will you ensure that your fellow associates have the training and information in front of them to help keep your company from falling out of compliance? Putting together a comprehensive plan will allow you to manage your compliance project efficiently and, in the end, achieve and maintain PCI DSS compliance as well as efficiently validate it. This chapter will answer your questions about how to achieve compliance. You will learn how to justify putting in the effort and figure out if you need to comply at all. Once you know you must comply with PCI DSS, we will explore how you will bring all the players to the table to help build and enforce the compliance plan. You will read about tips on how to budget your time and resources so that you can achieve compliance quickly. Once you have your plan in place, you will need to get the message out to your staff and ensure they receive the right training to make sure your orga- nization does not fall out of compliance. By the end of this chapter, you should have a clear plan on where to start with your own PCI DSS compliance efforts and the steps you will need to plan a program to meet compliance. JUSTIFYING A BUSINESS CASE FOR COMPLIANCE One of the first steps of any compliance plan is to justify putting in the effort. You must first figure out if you need to comply with the PCI DSS regulation and also figure out if you have overlap from other compliance plans already in place. Once you know compliance is a must, you need to figure out at what level you need to validate (although this should not impact the actions you take when securing cardholder data). PCI DSS compliance validation applies differently depending on the volume of transactions you process and the medium by which you accept payments. Because compliance with the PCI DSS is mandatory, you could be hit with fines or higher processing fees today depending on your merchant 15
226 PCI Compliance level. 1 Another form of motivation should come from the fear of living through a breach. Fear, uncertainty, and doubt (FUD) have no place here, but let’s not dismiss the motivational power of fear. If you have never had the opportunity to manage through a major breach, ask around in your industry. There are plenty of individuals that can help you frame your message properly such that you can make a positive impact and get the funding and support from the top that you need. F IGURING O UT I F Y OU N EED TO C OMPLY Your first step with any compliance effort should be figuring out if you need to comply with a regu- lation. Regardless of the state of the economy, no company wants to waste time putting in measures that they are not required to have. Once you have figured out if you need to comply and what your validation requirements are, you will be in a good position to make your case to management. NOTE If you know you have card data in your environment, the next step is determining if you are a merchant or a service provider. Many merchants offer ancillary services to franchisees or even to other local companies to defray the costs of running their payment processing net- work. By doing this, many merchants end up being service providers and have slightly differ- ent reporting requirements for each payment brand. If you are accepting payments from any third party (like a franchisee) for processing, you are most likely a service provider. Consult with your acquiring bank or a Qualified Security Assessor (QSA) to clarify this before you go too far down your compliance project path! C OMPLIANCE O VERLAP Once you determine that you have to comply, you need to look at the other compliance plans you have in place (if any). One sure way to fast-track your PCI DSS compliance program is to leverage investments made for other compliance or security initiatives. Compliance and information security initiatives often overlap (as shown in Figure 15.1 ) because most of the regulations are based on good FIGURE 15.1 Compliance overlap Venn diagram.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help

Related Documents

9-2 Final Project Submission.docx
7-2 Milestone Three.docx
Unit 8 Assignment (1).docx
Unit 3 Assignment (1).docx
Caterpillar_Case.docx
INFO 103 – Project description.pdf
Lecture_280.pdf
Lecture_287.pdf
Lecture_259.pdf
Topic 2 q2.docx
Valve_Steam_Case.docx
Topic 2 q 2.docx