Regulatory Compliance, Governance and Security

Mar 24 2009   11:39PM GMT

12 PCI DSS Requirements | Lessons Learned from a PCI QSA



The 12 PCI DSS Requirements are lengthy and technical indeed. However, organizations need to truly understand the scope of the PCI assessment for gaining greater insight into the efficiencies that can be had for undertaking a Payment Card Industry Data Security Standards (PCI DSS) Assessment.

So, what are my lessons learned as a Qualified Security Assessor (QSA) who conducts PCI assessments?

First and foremost, the assessment is NOT always about technology. Sure there is a host of requirements surrounding the “system components” of the “cardholder environment”, but look closer and you will find that developing documented policies and procedures is one of the most time-consuming and arduous processes of the entire assessment? Your kidding, you might say? Not at all, it’s amazing how much time and effort is needed for developing these documents for ensuring PCI compliance.

Add to the fact that you need to properly “scope” the assessment for a number of parameters and I would highly advice a PCI Readiness Assessment for any entity going through a Level 1 PCI engagement.

Properly scope the assessment for what is and is not included in the “cardholder environment”, conduct a PCI Readiness Assessment and be mindful of the documented policies and procedures that must be in place for compliance.

To learn more about PCI, visit

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: