Call us on 03450 21 21 51

SRM Solutions
PCI DSS compliance is like car maintenance: it’s not just an annual event
The SRM Blog

PCI DSS compliance is like car maintenance: it’s not just an annual event

Julia Wailes-Fairbairn

Written by Julia Wailes-Fairbairn

1st March 2019

Share this article

PCI DSS compliance

PCI DSS compliance is like car maintenance; to ensure your vehicle remains roadworthy throughout the year you need to practise an ongoing programme of routine repairs, regular servicing and continuous vigilance. In the same way, payment card data security needs constant review and revision; a yearly PCI DSS assessment alone is not enough. Since it is likened to an MOT, it only applies to a given moment in time and provides no assurance of continued compliance.

Taking the analogy a step further, consider the purpose behind the MOT and PCI DSS assessment. It is the intention of the Road Traffic Act and the MOT process to ensure your safety and that of other road users. It is not simply to pass a test. Just so, the intention behind the PCI DSS compliance process is not to conduct a tick box exercise to achieve compliance, it is to keep your organisation and your customers’ data safe on an ongoing basis.

That is because achieving compliance is simply the first step: like an ageing car, maintaining it is another matter altogether. When it comes to re-assessment the requirements are more complex. Organisations need to provide evidence to demonstrate activity throughout the preceding 12 months. For example, there is a requirement to show how system patches are risk assessed and applied, as well as how you have assessed and ranked security vulnerabilities as they have been discovered. There are many additional records and processes which need to be evidenced including firewall reviews, cryptographic key changes, system audit processes and regular vulnerability scanning (to name but a few).

If you are not overly familiar with all these terms, do not be alarmed. Few would be intimate with that level of detail within the car’s engine, nor would they consider maintaining their vehicle without the services of a professional mechanic. In the context of PCI DSS, the QSA fulfils that role. It is his or her job to keep you on the road, providing you with the reassurance that you have taken every possible precaution to ensure your safety. Not only do they get your organisation through the initial assessment, they help you to keep it that way by checking the moving parts, spotting areas of weakness and anticipating where things may fail in the future.

Like a good mechanic, QSAs not only work to achieve compliance but also offer guidance in security best practice, using their experience to help design policies and procedures that will stand the test of time. Yet, because the project is correctly scoped at the outset and experienced QSAs can navigate the right course first time, it is a cost-effective solution.

SRM’s QSAs possess experience spanning over half a century; delivering projects for businesses in every sector, and of every size. Our PCI E-book, which is available for free download, provides practical hands-on advice and guidance from members of this highly experienced team, in their own words. Here they combine the often-overlooked basics with sound advice on more specific issues. Although it is a complex subject, our aim is to demystify cybersecurity and help make the compliance process even more robust and cost-effective for our clients in 2019.

   Register to download SRM’s free PCI eBook here.

We have produced a PCI eBook which provides practical hands-on advice and guidance from members of this highly experienced QSA team, in their own words. Here they combine the often-overlooked basics with sound advice on more specific issues. Although it is a complex subject, our aim is to demystify cybersecurity and help make the compliance process robust and cost-effective in 2019.

Visit our website.

For enquiries about our QSA team and PCI DSS compliance service contact Laura Chatton on 03450 21 21 51

Or read from our blog:

How PCI compliance puts you on course for GDPR

How to protect your business from account data compromise (ADC)

Does outsourcing card processing make you PCI compliant?