You have spent the last 18 months preparing for PCI DSS compliance and now that deadline is here. There is no avoiding that a bit of hyper-surrealism is necessary when transforming from non-compliant to fully compliant. Especially when the process ends up being more complicated than you ever imagined. PCI DSS compliance is not a sprint, it is a marathon and there is a wealth of knowledge available to help you get to the end game. This article from CompTIA covers everything you need to know to fulfill your compliance obligations as successfully as possible.
Get Certified
One of the biggest surprises when becoming PCI DSS compliant is learning that to achieve full compliance you need to become certified. PCI DSS certification is a combination of knowledge and skills tests which examine your organization’s ability to properly design and implement a PCI DSS compliant environment. There is an initial application fee of $400 plus a one-time $300 test fee. If you are lucky enough to pass the test you will be awarded a Certificate of Compliance that may be displayed at the end of your website along with the globally recognized and trusted seal of PCI Compliance.
Certification is only the first step and in a lot of cases it is not even that. A lot of organizations will tell you that they will give you a credit towards your PCI DSS compliance when you become certified, however, this is not necessarily the case. To be able to get credit you will need to prove that you are using the knowledge and skills you learned throughout the certification process. Proving that you are using the knowledge and skills you gained is called ‘rolling back the badge’ and proving that you have changed your behavior is called ‘walking the walk’
Why Are We Walking The Walk?
A big question for any organization which has just jumped into the world of PCI DSS compliance is; ‘Why are we walking the walk?” While there is no perfect answer to this question it’s a fair assessment to say that the vast majority of organizations which have answered this question with a resounding ‘yes’ are still not where they want to be when it comes to becoming fully compliant.
The reason for this is quite simple; it takes money to change the way you do things. And if your budget allows you to hire extra people to help you get where you need to be then by all means do so. But the reality is that most organizations cannot simply will themselves into compliance, especially when you look at the monumental task which is PCI DSS compliance from a non-compliant standpoint. So until they can prove that they have changed their ways and are acting in a manner consistent with what they know to be correct; they will remain non-compliant.
Ultimately, this is a process which will require a lot of time and energy to fully participate in and then prove to the financial institution which holds your card that you are indeed practicing what you have learned. So keep that in mind when planning your certification journey. It is certainly a worthy endeavor deserving of all your attention and efforts and we are more than happy to help you get there.
Do The Research
One of the things which may surprise you when first learning about PCI DSS compliance is just how much it actually entails. PCI DSS compliance is a massive undertaking and even those who have been through it before have warned that it is a lifeline which you will not be able to throw away once you see the red flag. Which is why it is important to do your research before committing yourself to the process.
If you have decided that PCI DSS compliance is a viable option for your organization then the first step is to sit down with a professional and have them walk you through the entire process. It is also important during this step to understand what you are getting into and what the expected timeframe is. Going through the research before committing makes it easier to understand what you are signing up for and what to expect. Just remember that every organization and person is different and what may be easy for you and your team may not be easy or possible for someone else.
Make It A Team Effort
Once you have decided to dedicate yourself and your team to the process of becoming PCI DSS compliant it is quite obvious that there is more than one person and more than one area of expertise needed to make it happen. And even then, there is always more to learn. In order to successfully transform your business and take the necessary steps to become fully compliant you will need someone on hand to advise and assist you through the entire process. This is why it is important to make it a team effort, by involving others in the process who can bring valuable knowledge and skill sets to the table. The more eyes which are on the problem, the more chances of getting it solved.
Don’t Forget The Little Things
No one is an expert in every area of expertise, which is why it is important to keep in mind that PCI DSS compliance is a lot more than just installing a certificate and applying for certification. Once you have made it this far and achieved full compliance you would be amazed at how much easier it is to live your life in a manner consistent with all the newly acquired knowledge and skills. Little things like changing swipe-less payment options to chip-based ones, replacing unencrypted data with encrypted data, and taking proper care of your customers’ financial information are all steps which will ensure that you stay in good standing as a business and are able to continue operating as usual. These are all small things which make a difference when dealing with PCI compliance. The more you do in advance, the less stressed out you will be at the last moment when faced with a situation which requires you to properly handle and respond to. So take these little things into consideration and you will be better off in the long run.
The last thing which you need is to be stressed out about a situation for which you are not prepared. Make sure that you practice and prepare yourself for the testing which is necessary for certification. And when it comes down to it, only then can you prove to the financial institution which holds your credit card that you are indeed acting in a manner consistent with what is required of you as a business.