The Path to PCI Compliance – Part 5: Summary - National Information Solutions Cooperative (NISC)

The Path to PCI Compliance – Part 5: Summary

This is the last in our series on the Path to PCI compliance. First, if you’ve made it this far…thank you! If you haven’t read the previous blogs you can start with the first one here. Taken altogether, sometimes it’s hard to see the forest for the trees and the path to PCI compliance becomes overgrown and overwhelming. Let’s review just exactly what steps you need to take in order to successfully navigate PCI compliance with NISC card payment solutions. At the risk of oversimplifying, here is a quick breakdown of steps.

  • First, we discussed that PCI-DSS is the shorthand for Payment Card Industry Data Security Standard, which is a set of standard security practices put in place to ensure that the acceptance of credit card payments, along with the processing, storage and transmission of credit card data, is done in a secure manner.
  • Second, we discussed the 12 PCI requirements that help you control the size and scope of your cardholder data environment or CDE.
  • Third, we discussed the Self-Assessment Questionnaire, or SAQ. The SAQ is a questionnaire for you to fill out based on your own assessment of how well you are abiding by the 12 PCI-DSS requirements. Your answers to the SAQ become your Attestation of Compliance, or AOC.
  • Finally, keep on keeping on. Do not submit your SAQ and think you are finished for the next 365 days. So many of the requirements have what the PCI Security Standards Council has called “Business as usual” and sometimes require daily attention.

PCI compliance is complicated, if only because many of the requirements necessitate a change in how we do business, not to mention the certain skill required to understand many of the terms and concepts. Then again, many of these requirements should already be a priority in our business – like changing the default password on a new device or verifying daily that no card skimmers have been added to the Verifone. A major step is having a policy in place to educate employees on your organization’s security practices. It is difficult to ask every single employee to understand and fully appreciate each and every requirement, but if we can provide a baseline understanding in terms which everyone understands, we have come a long way.

Thank you for your time. If you have additional questions feel free to reach out to us at Cybersecurity@nisc.coop.