515-223-5119 info@ineda.com

[Author: PCI Security Standards Council, 03.2020 | Keywords: PCI Compliant, Business Operations]

How can you make sure that security controls continue to be properly implemented at your dealership? Integrate Payment Card Industry Data Security Standards (PCI DSS) into business-as-usual activities as part of your overall security strategy. This will allow you to monitor the effectiveness of security controls on an ongoing basis and help you maintain a PCI DSS compliant environment in between PCI DSS assessments.

Best practices to incorporate PCI DSS into your day-to-day activities include, but are not limited to:

  1. Monitoring security controls to ensure they are operating effectively and as intended.
  2. Ensuring that all failures in security controls are detected and responded to in a timely manner.
  3. Reviewing changes to the environment (for example, the addition of new systems, changes in the system or network configurations, etc.) prior to completing the change to make sure PCI DSS scope is updated and controls are applied where appropriate.
  4. Changes to organization structure (for example, a company merger or acquisition) resulting in a formal review of the impact on PCI DSS scope and requirements.
  5. Performing periodic reviews and communications to confirm that PCI DSS requirements remain in place and personnel are following secure processes.
  6. Reviewing hardware and software technologies (at least annually) to confirm that they continue to be supported by the vendor and can meet your dealership’s security requirements, including PCI DSS, and fixing shortcomings as appropriate.

You may also want to consider implementing a separation of duties for security functions so the security and/or audit functions are separated from operational functions.

Note: For some businesses, these best practices are also requirements to ensure ongoing PCI DSS compliance. All businesses should consider implementing these best practices into their environment, even when they arenĂ­t required to validate to them.

Source: PCI Security Standards Council