“If the minimum wasn’t good enough, it wouldn’t be the minimum.” - Keith W.
Wise words from one of my developers many years ago. When it comes to tackling PCI Compliance, it is advice well worth taking.
With leaks of sensitive customer information in the news, there’s an increased focus on compliance as more services shift to cloud computing and APIs.
If you are a merchant of any kind or deal with customer credit card information then you must be aware of PCI compliance regulations that are designed to protect consumer credit card information from exposure.
PCI compliance gets tricky as apps and services move to cloud services and APIs. If you’re heading down the path of PCI compliance or just trying to position yourself, your APIs and your internal systems better for the future, keeping it simple will help you be successful.
First, Document your Process
The PCI Data Security Standards (PCI DSS) establish the “what” but not the “how” of achieving compliance.
The how is up to you. But like most audit and process centric assessments, what is most important is being able to articulate what you do to support a particular DSS item - and then being able to show evidence to support that statement.
Identify all of the process standards that apply to you from the DSS and identify the proper owner of those processes as well. Put together a simple Process Description Template that everyone uses to document their individual processes and adopt a naming convention that calls out the DSS section. Centralize the storage of those documents and make sure everyone knows where they are.
Just focus on capturing the “how” of your processes in as lean a manner as possible. Your assessment team is not going to evaluate quality of the process or the documentation, only that it meets the requirements of the DSS.
With your processes documented "well enough" and easily mapped to the PCI DSS, you’ll discover gaps, strengths and you’ll make your assessors life easier and that makes your life easier.
Next, we'll talk about the special challenges with PCI in cloud computing and APIs, and practices that you can apply to reduce your risk.
Morgan Hall is a project manager with Apigee. Previously he was Director of Business Architecture at TransUnion.