Non-Compliance Lesson No. 1: Wait until your assessment to validate scope
Posted by David Gamey on 07 Oct 2021.
PCI DSS can be hard and not preparing it for just makes it harder. Following this advice is guaranteed to make it both more exciting and painful.
- Ignore your “connected-to” systems.
- Forget that PCI also includes processing and transmission as well as security impacting systems.
- Leave troublesome special cases and infrequently used processes until your assessment date nears due.
- Figure this out at the last minute during your assessment to keep things exciting.
Seriously, if you want your assessment to be smooth and boring you may find these articles useful.
- Why did my PCI DSS Scope Explode?! https://www.controlgap.com/Why-did-my-PCI-DSS-Scope-Explode/
- PCI Compliance Footprints: 7 Ways To Simplify Compliance, Reduce Risk And Save Money https://controlgap.com/blog/pci-compliance-footprints
- Understanding "Connected-to" - Is The Internet In Scope For PCI DSS? https://controlgap.com/blog/connected-to-pci
- The official PCI DSS Scoping Guide https://www.pcisecuritystandards.org/documents/Guidance-PCI-DSS-Scoping-and-Segmentationv11.pdf
- Reporting Requirements https://www.pcisecuritystandards.org/documents/PCI-DSS-v321-ROC-Reporting-Template.pdf
- All Known Published PCI FAQs indexed in one place https://controlgap.com/index-pci-frequently-asked-questions/
If You Need Help
Compliance can seem as dry as toast. Normally, it only gets exciting when things go wrong like when you find problems during an annual assessment, facing a looming deadline, with senior management breathing down your neck expecting a pass. Last minute discovery of problems gets extremely stressful. Failure becomes an option. Remediation is not guaranteed and can often be risky, sub-optimal, and expensive.
PCI DSS has 12 high-level requirements and over 250 sub-requirements each of which is an opportunity for failure. The kinds of challenges we describe are often avoidable and manageable. After all, PCI is an open book exam and there should be no excuse for not being prepared. If you are struggling with business-as-usual compliance, or have challenges, we can help.