PCI DSS Compliance Step By Step

Download Free PCI DSS Compliance Step By Step:
Step 1—Identify and Classify Information
The first step in achieving your data privacy goals is to identify what data you have and classify it in terms of its sensitivity.There are multiple levels that data can be classified on, but for the purposes of PCI, you need to determine what is and is not cardholder data, and then break down the elements further in terms of sensitivity.You might break it down such as:
- Customer Information
- PAN
- Personal Identification Number (PIN) number
- Non-customer-related data
You can classify your data in any way that makes sense to you, but the most important thing to be aware of is the requirements in PCI DSS Requirement 3 in terms of what is required to be treated as sensitive or not.Your subsequent steps of organization will be based on your decisions here.

Step 2—Identify Where the Sensitive Data is Located
Databases will house cardholder data, but where else might it be? Flat files that are results of batch processing, log files, backup tapes, and storage networks may all house sensitive information.
Ask the following questions:
- Where is it located?
- What format is it in (e.g., database, flat file)?
- What is the size of the data?
Answers to these questions will determine if you have to make changes in your architecture to minimize the cost and work to protect the data.

Step 3—Determine Who and What Needs Access
Too often, data breaches take place simply because people and applications have access to data they do not need.You have to balance the need for access with the proper control on that access to keep doing business.

Answer these questions:
- Who currently has access to sensitive data?
- Do they need access to do their job?
- What format is it in (e.g., database, flat file)?
- What is the size of the data?
- What applications such as backup applications or Web sites need access?

Step 4—Develop Policies Based On What You Have Identified
Now that you have identified what data you have, where your data is located, and who and what needs to access it, you can define information-handling policies based on what, where, who, and how.This is where you establish such things as policies, standards, guidelines, and procedures.The details of implementing this are beyond the scope of this book, but numerous resources exist which provide help on how to approach this in an organized way. It may also be of help for you to engage a professional organization or consultant versed in this to help you write and publish these. This will be the cornerstone of your approach to your information assurance plan.