The best starting place for any organization, but especially those that accept cards multiple ways (e.g., online, in person, phone, etc.) or have multiple merchant accounts, is to do a business data flow analysis. The goal is to understand why credit cards are used, how they are used, and then follow the data from start to finish. The resulting data flows help the business and technology teams understand what is in place, and it provides documentation for compliance. Once the business process is understood, then the technical analysis can be done to assess those controls.
One of the “secrets” to credit card compliance is to reduce the scope as small as possible. Technically referred to as reducing the Cardholder Data Environment (CDE) using approved technical methods, like network segmentation. Reducing the scope reduces risk associated with accepting cards and can be used to streamline business processes for accepting cards.
All this may sound a bit daunting, but there are many resources available to assist from the PCI SSC, to educational materials on the internet, or Qualified Security Assessor Companies (QSACs), like RubinBrown.
If you need assistance, please feel free to reach out to our Cyber Security Services team.
Readers should not act upon information presented without individual professional consultation.
Any federal tax advice contained in this communication (including any attachments): (i) is intended for your use only; (ii) is based on the accuracy and completeness of the facts you have provided us; and (iii) may not be relied upon to avoid penalties.