Director of Data Security Standards Lauren Holloway discusses a roadmap organizations can use to make steady progress towards data security and PCI DSS compliance.
Navigating your Path to Payment Security with the Prioritized Approach to PCI DSS
When first considering the Payment Card Industry Data Security Standard (PCI DSS), a survey of the 12 requirements, sub-requirements, testing procedures, guidance, FAQs, and supporting documents can be overwhelming. That’s precisely why the PCI SSC developed the PCI DSS Prioritized Approach, a tool to help businesses make steady progress towards strong data security and PCI DSS compliance, while attacking the highest risk areas first.
The Prioritized Approach is all about one goal: securing cardholder data that is stored, processed and/or transmitted by your company. Because it’s easy to get lost in the technical weeds, the Prioritized Approach keeps you focused on this goal with six clear milestones that provide a “roadmap” to help you identify and address the highest risks to payment card data in priority order. As you follow the roadmap, you will be able to lower your risk of payment data breaches sooner.
Following the roadmap does not address everything in the PCI DSS all at once. Think of it as a pragmatic way to get “quick wins” and achieve visible progress in securing payment data.
The Prioritized Approach also helps your company demonstrate to your acquirer (merchant bank) that you are systematically lowering risk and pursuing security and compliance. It promotes objective and measurable progress indicators, and supports financial and operational planning.
The following six milestones are the essence of the Prioritized Approach:
- Remove sensitive authentication data and limit data retention
- Protect systems and networks, and be prepared to respond to a system breach
- Secure payment card applications
- Monitor and control access to your systems
- Protect stored cardholder data
- Finalize remaining compliance efforts, and ensure all controls are in place
Please keep in mind that the Prioritized Approach is not intended as a substitute, short cut or stop-gap approach to PCI DSS compliance, nor a one-size-fits-all framework that applies to every organization.
The Prioritized Approach is a way to get you started on the path to stronger payment security. In this series of blogs, we will take a look at each milestone, the controls included and how they can help reduce risk. Milestones in the Prioritized Approach will help you achieve stronger payment security step-by-step and protect your customers’ payment data.