A Do It Yourself Guide for PCI DSS Compliance

Security consultant Joel Dubin, CISSP, has written a helpful article for merchants that are seeking to become PCI DSS Compliant without engaging outside consultants. Here is an except (and the entire article):

Any company that accepts credit cards for its business is subject to the Payment Card Industry Data Security Standard (PCI DSS). As it is with other regulations, such as the Sarbanes-Oxley Act,the biggest component of being compliant is proving you’re compliant.

While it’s unlikely a credit card company would make the effort to catch a midmarket company in the act, it can cut a business off at the knees for noncompliance. A business can be fined, or worse — cut off completely from being able to process credit cards.

Better to have and not need, than to need and not have. PCI audit is something you can do without hiring an outside consultant. Your secret weapon: Documentation.

Auditors have a mystical attachment to paperwork, and if it isn’t in writing in front of them, they won’t see it. The only way to prove to an auditor that your company is compliant with PCI is to document every control required by the standard. In the eyes of the auditor, if a control isn’t documented, it isn’t compliant.

First, appoint someone to be the contact person for PCI auditors. This isn’t a full-time job and doesn’t necessarily even have to be someone from the IT department. The important thing is that this person has a sufficient background in IT and understands the technical terminology in the standard.

Next, go to the PCI Security Standards Council website and download three documents: the standard requirements, the self-assessment questionnaire and the security audit procedures.