What can organisations be doing now?
As in previous blogs, my first piece of advice was for organisations to watch out for initial releases of the new version of the DSS, remembering that the responsibility for managing and maintaining PCI compliance sits with the merchant or service provider.
As such, organisations should ensure that the scope of their cardholder data environment (CDE) is accurate; this is the foundation for obtaining and maintaining PCI compliance. Remember – over time, business objectives change, and it can be easy to omit systems and services from the scope of PCI compliance. Whilst we’re still a little way from any new versions of the DSS, these can provide a great opportunity to review the scope of the CDE. Ensure that all those systems that store, process or transmit cardholder data, or can impact on the security of the CDE, are included and compliance requirements are clearly defined.
Finally, businesses should proactively update their compliance programmes with a focus on embedding security into the operations of an organisation – PCI compliance can be affected by the smallest of changes in the requirements applicable to the scope of your CDE so its important to keep an eye on information coming out of the SSC.