Since 2006, the PCI Security Standards Council (PCI SSC) has managed the evolution of the Payment Card Industry Data Security Standard (PCI DSS.) It does this by frequently assessing and updating the standard through collaboration with participating organisations. In order to help organisations to achieve and maintain PCI compliance it also releases information supplements, for example 2019 saw an updated version of the Protecting Telephone-Based Payments Supplement (and overview of this can be found here.)
In February, the first information supplement for large organisations was released. By nature, large organisations tend to have more complicated networks so understanding their PCI DSS scope and responsibilities can be complicated to manage. So, what exactly does this supplement advise to achieve and maintain PCI compliance? This can be mainly broken down into four broad categories – Identify, Record, Report and Maintain.
Identify
Section 4.1 states that ‘To ascertain who has ownership of PCI DSS compliance activities, large organisations should first determine where the organisation performs payment card functions.’ Initially this may seem obvious and the supplement acknowledges that most large organisations will already have a plan in place for this, but it can prove difficult. There could be multiple physical locations, payment channels or even franchises which all need to be considered. Along similar lines, large organisations need to determine the roles, responsibilities, and ownership of PCI compliance amongst employees. The challenge for large organisations is that misunderstandings and varying interpretations can lead to lapses in compliance. It is therefore just as important to clearly define and allocate responsibilities for PCI DSS to the correct employee(s.) Table one of the supplement lists roles and teams and gives examples of where PCI DSS responsibility lies for each as a way of steering this.
Record
Section 7 states ‘conducti ..
Support the originator by clicking the read the rest link below.
