The new PCI DSS version 3.2 arrived in February, changing the way that compliance is assessed with one crucial new addition – businesses are now required to provide evidence of continuous compliance all year round.
We know from experience that many businesses have in the past taken a denial and panic approach to PCI DSS, leaving compliance to the very last minute and implementing temporary fixes purely for the sake of annual assessment. But these days are over. With this change to PCI DSS assessment and the introduction of GDPR in May, businesses are being forced to prioritise the security of their customer data and put greater emphasis on the need for policies and procedures on an ongoing basis. So is better planning and organisation the key to tackling your PCI DSS compliance? We think so and here is how.
Get to know the specific PCI DSS requirements for your business
The required standards for PCI DSS vary depending on your business’s volume of transactions and how it handles data. Getting to know what is required for the compliance level that is appropriate to your business will enable you to develop and implement a system for how to capture the right information accordingly and stop you from wasting time implementing measures that aren’t relevant.
Do you qualify for self-assessment? If so, take a look at the relevant self-assessment questionnaire (SAQ) – there are nine varieties so you’ll need to research which one applies to you – and work out what you need to complete it so that you can introduce systems now, well in advance of the deadline. You can find out more about self-assessment on the PCI Security Standards Council website.
Allot sufficient time and budget for PCI DSS
PCI DSS compliance can be time consuming especially when you’re starting from scratch to get procedures off the ground. But that isn’t a reason to put it off. For businesses to achieve compliance, they need to get into the habit of allocating adequate time to spend on making sure that they are adhering to the guidelines consistently and not just for the purpose of assessment.
Create a schedule of regular PCI DSS check ups to ensure that procedures are being adhered to and stick to it. For example this could include frequent spot checks for clean desks, system firewall updates and checking that new employees are being informed of your data protection policies so they know what to do if they spot system failures or suspicious activity.
Don’t waste time worrying about the fall-out of not being PCI DSS compliant. Channel those efforts into more effective planning for achieving compliance and make sure you have finances available to invest in introducing new systems to help you with the process. In the long run, you’ll have more time to focus on your core business, delivering a great service to your customers.
There are ways that you can make it easier. At PCI Telecom, we deliver bespoke card payment solutions that have PCI DSS Level 1 accreditation for payments made over the phone and online. Outsourcing your card payment processing offsite to us de-scopes your business from its PCI compliance obligations so it’s us that do the planning and regular checks and not you. Contact us for more information.