- Start identifying all the systems that touch cardholder data, because all of these systems will be in scope for your eventual PCI DSS Compliance Validation. The Payment Card Industry Data Security Standard (PCI DSS) is focused on how you treat "cardholder data", such as account numbers. A big part of any PCI assessment is determining where cardholder data is processed, transmitted, or stored. You may be surprised to find out the number of system retaining cardholder data, including data warehouses, staging servers, middleware, backup systems, etc.
- Your IT team needs to be familiar with the PCI Data Security Standard. Make sure you are using the latest version — you can find it at https://www.pcisecuritystandards.org/tech/download_the_pci_dss.htm. Note: Version 1.1 released in September 2006 included updates that made the standards much easier to understand.
- Contact your software and hardware vendors. Find out if the versions of their products that you are using have passed PCI DSS compliance validation. There is a list of validated payment applications on the Visa web site.
- Contact your card processing and network service providers. If you are using third party managed services, then the same question should be asked of them — has your service passed PCI DSS compliance validation. The Visa web site also has a current list of PCI complaint service providers.
- If your company operates its own network, then your network team needs to start reviewing the PCI Data Security Standard. Many of the 12 key requirements are directly related to network components. Several are common sense, for example do not use vendor default passwords.
- Get your testing team involved. Their test procedures will be checked as part of a PCI DSS compliance validation.
- Take advantage of whatever security measures you already have in place. Much of the PCI Data Security Standard is based on good system management practices. If your current data security standards are in good shape, you may be able to meet some of the PCI requirements by just updating your existing policies.
- Once your team is familiar with the PCI requirements, conduct a candid internal assessment. Decide where you think you are related to each of these requirements. Begin making the obvious changes right away.
- Consider hiring a consultant very familiar with the whole PCI assessment and validation process.