PCI-DSS is one of our favorite information security standards in the offering. Not only because it is one among the mature information security standards out there, it is evolving, community centric and its free for anyone to follow.
We love the way it is structured for the PCI-SSC has construed and implemented an immense technique for defence in depth, which helps implement security in all the verticals of an organisation. You could simply use the standard to incubate a thought blast information security program in your organisation, even if you do not store, process or transmit cardholder data.
PCI-DSS Scope Formulation
Identification of all the system components, which store process or transmit cardholder data,needs to be done, a lot before even reading the requirement one of the PCI-DSS.
Even the PCI-DSS standard promulgates network segmentation to isolate all the system components, processing cardholder data, from the system components, which do not process cardholder data.
Reading the PCI-DSS requirements will now start making more sense. Perform an assessment, which will compare the status of information security controls present in the organization with the PCI-DSS standard. Identify all the points, which need adherence to the standard.
This phase includes the implementation of all the PCI-DSS requirements. Did you know that PCI-DSS Compliance requires 100% adherence to the requirements. It is indeed fortunate that they are requirements, making them very clear to interpret.
PCI-DSS certification requires collection of all the evidences by the QSA, preparing a report to explain the adherence to all the requirements in the PCI-DSS standard and validating them with observations of processes, configurations and discussions. Phew. Oh, and yes it is a yearly recertification assessment.