Companies get checklist for complying with PCI standard

10.03.2009
The organization responsible for administering the is offering new guidance to companies on how to focus their PCI DSS compliance efforts so as to more quickly them in position to meet the rules on protecting credit and debit card data.

PCI Security Standards Council LLC, which was set up by in 2006, last week released a document detailing a Prioritized Approach framework that lists the most efficient order for companies to implement the 12 security controls mandated under PCI DSS. The framework groups the controls under six specific milestones that companies can use as a road map towards compliance, according to council officials.

, the council's general manager, said the framework is "the culmination of a lot of input" from various stakeholders within the payment card industry. It's designed, he added, to help companies that haven't yet to start on their PCI compliance efforts and are wondering what they should do first.

The release of the rollout guidance by the council comes nearly four years after the PCI standard first went into effect, imposing a set of data security requirements on all entities that accept credit and debit card payments. The effort to create the framework indicates that many merchants, especially smaller ones, still aren't fully compliant with the standard and need help implementing it, said Jim Huguelet, an independent PCI consultant in Bolingbrook, Ill.

"I think there are a lot of merchants at the amount of remediation they need to undertake to become fully compliant," Huguelet said. That, he added, has resulted in a sort of "paralysis" in which some merchants either are doing nothing in regards to PCI compliance or are only taking on some of the easier requirements, which by themselves do little to reduce the overall that process card transactions.

By offering a framework that explicitly ranks the relative importance of the different requirements, the PCI council has finally given businesses that still need to comply with the rules a way to move forward, according to Huguelet. "The journey of a thousand miles begins with a single step, and the PCI [council] has now officially announced what those first steps for merchants really should be," he said.