Is PCI DSS compliance mandatory? Who needs to be PCI compliant? What does it take to be compliant?
If you store, process, and/or transmit cardholder data, you are subject to and must comply with PCI DSS. While the Security Standards Council is responsible for managing the data security standards, each payment card brand maintain its own separate compliance enforcement programs. Each payment card brand has defined specific requirements for compliance validation and reporting. These requirements specify the provisions for performing self-assessments and when to engage an external auditor (QSA). Here’s the introductory part of PCI DSS.
Must read: 10 Key Compliance Factors of PCI DSS
The processes for validating compliance and reporting depends on your organization’s classification or risk level. The level of risk is determined by the individual payment card brands.
Here are the 5 processes for validating PCI compliance:
- Scoping – This process determines the components that are governed or in-scope of PCI. The logical network diagram that shows the data flow would be helpful in determining the scope of your environment.
- Assessing – This process inspects the compliance of the in-scope system components. Depending on the level that you’re being assessed, this process takes the longest time.
- Compensating Controls – What kind of business or technical hardship does this requirement present? If the requirement controls are not in place, what are the alternative control technologies or processes are currently in place.
- Reporting – Submitting the required report/documentation to the acquiring bank or the card brands for review and approval.
- Clarifications – If there are issues with the report that needs clarification, this process involves submitting clarifications upon the request of the acquiring bank or card brand.
Suggested reading: Top 10 Questions to PCI Compliance
We hope you find this article informative. Please share it with your friends, colleagues, and on all your favorite social sites. Let us know what interests you, and we will write it. Don’t forget to leave a comment.