Your selected question
Are all PCI DSS requirements mandatory or can I leave some out as "nice to have"?
The 12 PCI DSS requirements are mandatory. However, depending on what methods are used to process payments i.e. telephone, face to face or on the internet and if the payment is processed by a third party, the merchant may exclude sections and this will be determined by the type of Self Assessment Questionnaire (SAQ) being completed.
In order to determine what type of SAQ should be completed an initial evaluation of the merchants payment processing should be undertaken. It is essential for the merchant to understand where and how card payments are processed, stored and transmitted. Barclaycard recommends that merchants confirm the SAQ type applicable to them with a Qualified Security Assessor (QSA).
If a merchant requires some help in prioritising their compliance work, Barclaycard have the following top tips to help with this:
1. Do not treat PCI DSS as an IT project: it is a Change Programme and needs organisational commitment.
2. Train staff at all levels (there will be various degrees of training).
3. Understand how card payments are currently processed
(people, process and technology).
4. If you don't need cardholder information, don't have it...
5. Embed an Information Security culture within your organisation early.
6. There will be many quick wins derived by reviewing and changing business processes and historical practices that require little investment.
7. Develop a gap analysis between current practices and what is necessary to become PCI DSS compliant: the gap analysis and Cardholder data flow mapping is the most important step.
8. Reducing the scope of the cardholder environment (the smaller, the easier).
9. Address vulnerabilities in the Card Not Present environment first (e-commerce and Mail Order/ Telephone Order).
10. Outsource to compliant third parties where possible... (Barclaycard's e-PDQ has been compliant since 2007...). Software as a Service (SaaS) is increasingly seen as a means of achieving compliance quicker.
11. And if not possible, tie down third parties (contractually).
12. Assess suitability/ Implement risk mitigation technologies (e.g. Verified by Visa, Secure Code, tokenisation, point-to-point encryption, etc.), these will also help reduce risk.
13. If Compensating Controls are required ensure that all parties are engaged to agree the controls before implementation (merchant, QSA, acquirers)
14. Work in partnership with your acquirer and your Qualified Security Assessor (QSA).
How useful did you find the answer given?Not at all Very useful