866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

5 Steps to Prepare for a PCI DSS Assessment Blog Feature
PHIL DORCZUK

By: PHIL DORCZUK

Print/Save as PDF

5 Steps to Prepare for a PCI DSS Assessment

Payment Card Assessments

If you hadn’t heard, NASA’s Artemis Program—the first endeavor to go back to the moon in 50 years—has stalled a bit. Though the new rocket—known as the Space Launch System—has been in the works for years, even now that it’s out on the pad and seemingly ready, the agency is taking its time to launch. That’s because NASA knows how high the stakes are—there are billions of dollars invested and their reputation as space explorers of the future is on the line.

You can never be too prepared for something so critical, and the same is true for your upcoming PCI DSS assessment. You might not be launching a rocket, but the prep for this compliance assessment is still a major task for any organization, no matter its size.

That’s because something just as delicate as a billion-dollar rocket hangs in the balance—personal information. If your organization stores, processes, or transmits credit card transactions, you’re required to comply with PCI DSS. The standard includes approximately 300 specific requirements (with even a few more in the new v4.0 release) —that specify the necessary framework for a secure payment environment.

To ensure you’re compliant, a PCI QSA must evaluate the details of your environment on a regular basis. But how do you prepare for something like that, especially if it’s your first time through this? Where to start?

As a PCI QSA that has performed hundreds of these assessments over many years now, we’re now going to provide 5 steps that will help any organization find its footing in PCI DSS preparation.

How to Prepare for Your PCI DSS Assessment

 

In using these 5 steps, you’ll simplify the necessary work ahead of your assessment and maximize the effort of relevant resources.

1. Complete a Risk Assessment.

Because the intention of PCI DSS is to reduce the risk of credit card breaches, it makes sense to start here by analyzing your risk. Every organization, regardless of if they’re in the payment security business or not, should understand how effectively manage its own risk—but for those of you processing transactions, it’s a must to complete detailed risk analysis on your environment.

Not only that, but the new version of PCI DSS has elevated risk management from just another control to a required core competency.

That makes risk analysis that much more important. Now, your goals in this process should be to do the following:

  • To determine the threats and vulnerabilities relevant to your services performed and assets;
  • To identify gaps and track remediations of those gaps; and
  • To define critical assets including hardware, software, and sensitive information - and then determine risk levels for those components.

With this information, you’ll be able to assign a prioritization level for reducing risk, e.g., prioritizing those relevant to systems that will be in scope for PCI DSS ahead of those other company systems and networks.

(If you need help in that area, read our article on the new scoping validation requirements under PCI DSS v4.0. This may be an area where you’d prefer to contract with a QSA firm to validate your scope.)

2. Document Policies and Procedures.

 

The risk assessment will tell you a lot—once it’s been completed, you’ll have a much clearer view of your security threats and risks. Now, you can begin determining your organization’s security posture.

Not only are policies and procedures a large part of the foundation for any security program, but they also comprise a large percentage of the PCI DSS requirements. Especially given the new version of the standard, your business leaders and department heads should first familiarize and arm yourselves with the details of the new PCI DSS requirements.

Together with the results of your risk analysis, you’ll be able to establish detailed security policies and procedures that both comply with the standard and are tailored to your business processes and security controls within the organization.

3. Identify Compliance Gaps.

 

Next, you’ll build upon this groundwork. Your key stakeholders and relevant personnel should by now understand the PCI DSS requirements—review them again in detail to discuss any potential compliance gaps and establish a remediation plan for closing those gaps.

At this point, it’s very important you have the full support of leadership who can authorize the necessary funds and manpower to implement any necessary remediation activities. Because even once the remediation plan is completed, it may also be reassuring at this stage to once again contract with a QSA firm for a gap analysis.

How would that help? They can either:

  • Help determine high-level areas that would are not compliant; or
  • Include a review much like a full PCI DSS assessment with the big difference being that you can miss a requirement and not “fail.”

Your QSA would review your security policies for accuracy and completeness while also helping identify any additional compliance gaps that need remediation before your full-scale assessment. Once you have your final control set in place, you’ll need to:

  • Perform internal vulnerability scans;
  • Contract with an Approved Scanning Vendor (ASV) to perform quarterly external scans; and
  • Schedule the required annual penetration testing.

Typically, third parties perform these, though you’re only required to use one for the ASV scans. But it can take some time to schedule, perform, and remediate all the findings from these (if necessary). Understand that your PCI DSS assessment results will be delayed until the penetration test is completed so scheduling as early as you can is your best bet.

4. Conduct Training to Educate Employees.

 

After remediation activities are completed and policies and procedures are implemented, it’s time to pivot toward supporting the human element of payment card security through training and education:

  • Technical employees should obtain any certifications or training classes necessary so that they can operate and monitor the security control set in place.
  • Incident responders should review NIST SP 800-61.
  • Non-technical employees must be trained on general security awareness practices such as password protection, as well as how to spot possible phishing or social engineering attacks, etc.
  • If software development is performed at your organization, OWASP offers training materials for secure coding guidelines.

All the security controls and policies you’ve just painstakingly put into place and remediated will provide no protection if your people don’t know how to operate the relevant tools in a secure manner. Likewise, the strongest 42-character password with special characters, numbers, and mixed cases, is utterly useless if an employee writes it on a sticky note attached to their monitor.

5. Perform Maintenance.

 

You’ve addressed your risks through control implementation and remediated your gaps, you’ve put your security posture from pen to paper, and your people understand their roles in securing your payment card environment.

You’re ready for your full-scale PCI DSS assessment, but until that time, you should enter a “maintenance mode:”

  • Conduct periodic internal audits
  • Hold regular committee meetings
  • Perform risk assessments
  • Update policies, procedures, and security controls as necessary to ensure you respond to an ever-changing threat landscape.

The standards mandated by PCI DSS must become integrated into your everyday operation so that you not only remain secure but also ease the burden of your annual assessments.

Moving Forward with Your PCI DSS Assessment

Bob Russo, head of the PCI SSC said:

“In the case of the PCI standards, it's especially important that it does not become a once-a-year event like people think of when they think of compliance…You can be in compliance today and be totally out of compliance tomorrow.”

 

You now have 5 clear steps to take ahead of your PCI DSS assessment, so you’re ready to make like NASA and prepare to the fullest. But a lot rests on your knowledge of the requirements—something that might be made trickier now with the release of the updated version of the standard after so many years.

To help with that, please read our other articles that delve deeper into the new details of PCI DSS v4.0:

About PHIL DORCZUK

Phil Dorczuk is a Senior Associate with Schellman. Prior to joining Schellman, LLC in 2013, Phil worked as a PCI DSS auditor with Coalfire Systems and a consultant at GTRI. At Coalfire, Phil specialized in PCI DSS audits and gap assessments and at GTRI specialized in Cisco network equipment installation and configuration.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.