For an organization first facing PCI DSS, getting compliant is really effing challenging. Whether this is your first rodeo or you’ve been at it for a decade, any resource that makes compliance easier is worth its weight in gold.
TCT was established with the mission of making compliance management suck less, and we dedicate ourselves to putting helpful tools in the hands of our clients. Here are some of the best resources you can find to make your experience with PCI compliance easier to understand and manage.
Related reading: PCI 4.0 Is Coming — Here’s What to Expect
The PCI Document Library is an absolute necessity for anyone going through PCI DSS compliance. This is the official PCI page that goes over all the details of the current PCI standard.
The library includes sections for standards, supporting documents, supporting templates, and forms. Use helpful filters to drill down from high-level documentation to very specific needs that your organization has.
The default filter lets you view generic PCI information such as a summary of the major changes (but not necessarily every change) from the prior version to the present one. The PCI section primarily speaks to organizations that submit a Report on Compliance (ROC), or have an Assessor-led engagement.
Smaller organizations or companies that fill out Self-Assessment Questionnaires (SAQs) can set the filter for SAQs so you can view all of the guidelines for conducting a Self-Assessment Questionnaire.
This website contains everything that has to do with PCI compliance. Not only is the Document Library there, but there’s also a thorough FAQ and tons of content related to PCI, including additional information being released providing clarity on various compliance related subjects — and PCI DSS 4.0. It’s worth taking some time to browse through the site and discover the resources they offer.
When you go through a full-scale audit — whether it’s through an SAQ or through a ROC — you may be required (or may opt) to have a Qualified Security Assessor (QSA) validate your stance against the PCI DSS. You can find websites that list QSA firms, but the best and most comprehensive list is the Qualified Security Assessors page on the PCI website.
This page lets you search for a particular Assessor or an Assessment firm. The directory provides helpful information about the firm — geographical regions where they work, markets they serve, supported languages, contact information, and more. Click through to a firm’s website to learn more about the company.
When looking for a new Assessor that fits your company’s needs, there’s always an element of rolling the dice. If you’re looking for a QSA firm that doesn’t suck to deal with, TCT is happy to have a conversation with you and get you connected to a like-minded Assessment firm.
One of the requirements of PCI DSS is that you have to do your external scanning through an officially approved ASV organization. For smaller merchants, this is typically coordinated through your merchant bank. But for larger entities that need to acquire their own ASV scans, the PCI website hosts a list of approved scanning organizations that would fill this need under the PCI standard.
An ASV is an organization with a set of security services and tools (“ASV scan solution”) to conduct external vulnerability scanning services. PCI SSC tests and approves a scanning vendor’s ASV scan solution before adding them to this list.
Part of achieving PCI compliance is ensuring that your service providers are also PCI compliant. It can be exhausting to find reliable vendors that don’t just pay lip service to PCI compliance. To make your job easier, Visa maintains a list of hosting companies and other service providers that have been certified as PCI DSS compliant.
You can search by company name for specific vendors, or browse through the master list. View vendors’ certifications, date the validation expires, type of service they provide, their region of operation, and more.
This registry can be a great place to check the vendors you’re currently using, and to start your search for new vendors.
Because these organizations have to submit a QSA approved Attestation of Compliance as part of their submission to Visa, this resource is a reliable third-party site that you can use to vet your vendors.
If a company isn’t on the list, it doesn’t mean they aren’t PCI compliant — it simply means they aren’t part of the registry. This is a pay-to-play list.
The team that runs this blog has been writing about PCI since 2009. As their tagline says, they take a common sense approach to achieving PCI compliance, which we at TCT can appreciate.
This site posts a lot of interesting and helpful bits of information around PCI and how it works. Everything is specific to PCI DSS. They’ve been in the space for a heck of a long time and they know what they’re talking about.
This free online service performs a deep analysis of the configuration of any SSL web server on the public Internet. It tests your website’s security and provides all sorts of useful information.
We often use this resource when trying to get an objective test result of a client’s website. It allows us to identify some of the security problems in just a few minutes. We can then target our corrective actions and efficiently get things buttoned up from a security standpoint.
The results give you an overall A+ through F rating for your site. You’ll see results listed by line item so you can go down and do some initial investigating to understand specifically what’s in good shape and what needs your attention.
Tip: Before you enter your website into the search box, check the box so that your site’s results don’t get displayed in the list of recent website tests.
PCI requires that you employ hardening standards for your machines. Default settings get you up and running quickly, but they aren’t optimized for the best security. Hardening standards make sure your devices are properly configured.
CIS benchmarks are easier for our clients to implement than many other standards out there. They’re easier to read and understand, and easier to follow.
CIS also provides an add-on that will allow you to not only compare your system to a benchmark, but also to apply that benchmark against a targeted system.
Looking for straight talk on PCI and other compliance topics? You’ll find it on TCT’s podcast, “Compliance Unfiltered.” Compliance Unfiltered is a fresh, raw, uncut alternative for anyone who is struggling with all manner of topics related to security/compliance engagements. Episodes offer real talk for real people, without pretense.
Compliance Unfiltered is available on major sites where you’d get your podcasts, including Apple, Spotify, and Google Play.
Make PCI Compliance Easier to Manage
Managing PCI compliance has never been easy, and it’s becoming even more challenging as the entire industry switches over to PCI DSS 4.0. Expect to deal with a good amount of turbulence for a while, since everyone is in the same boat trying to make heads and tails of it all.
Whether you’re in the midst of the transition to PCI 4.0 or not, you can count on TCT to help you make compliance management suck less. We’re always available — reach out with questions, make use of our resources, and check out our compliance management software. We can help you cut your manual efforts by hundreds of man-hours.