This is post is part of the Getting Started with PCI-DSS Compliance series.

The Zeroth Step: Urgent Remediation

Before we get into the meat of the series, let me emphasize the importance of taking a risk-prioritized approach from day one.  Compliance should not be your motivation.  Iron-clad protection of sensitive cardholder data should be your goal.  Compliance will follow naturally… eventually.  The subtext here is that while you develop your compliance strategy, high-risk activities should be identified and addressed immediately.

We recommend scheduling interviews with representatives from each line of business that owns a merchant account, as soon as possible.  (continue reading…)

For those who have been in the trenches for years, a series about how to begin to grapple with PCI compliance may come as a surprise.  After all, the compliance deadlines are all long past.  However, we recently sat down with an advisee who received marching orders to tackle PCI compliance for his employer, a merchant who only just learned of their compliance obligations.  If you find yourself swimming in similar straits, this series will provide some basic advice on where to begin and point you to important resources.  We invite our more experienced readers to provide additional resources in the comments!

It Begins…

So you’ve gotten a letter or a call or a visit from your merchant bank.  They’ve told you about this PCI Compliance thing-a-ma-bob, and now you’re preparing to explain it to the next level up.  What do you tell them?

Whatever it is, you need to be prepared to respond to the following questions: (continue reading…)

A reader recently submitted the following question to Ask PCI DSS Guru:

“When will merchants be contacted with the questionnaire for compliance? I have had card processing for 8 years and have never been contacted previously.”

(continue reading…)

By now, one might expect that most people even remotely involved with credit card processing would have a passing familiarity with the Payment Card Industry Data Security Standard (PCI DSS).  Unfortunately, this is not the case.  Many merchants (primarily Level 4) remain unaware of the obligations introduced by the card brands’ security programs, each of which centers on the standard.

Even for those versed in PCI DSS, there are benefits to understanding its origins.  The roles and responsibilities that fall to various parties, as well as the appropriate use of the instruments involved in validating compliance, are intertwined with the origins of the standard.

(continue reading…)