Step by Step Guide to PCI DSS Compliance

Read the PCI DSS Standard • Map the end-to-end data flow
• Identify Third Parties

Define Environment
• Start Gap Analysis / Funding
• Produce Initial Project Plan / milestones

Gap Analysis

If cardholder data
Appoint QSA (recommended) infrastructure connected
to the internet

YES
Notify Barclaycard of milestones Network scans
& QSA Appointment required?

(all in-house) NO

ASV Undertakes Notify Barclaycard of Appoint ASV

Network Scan ASV Appointment (if necessary)

All externally facing IP

addresses should be
scanned (quarterly)

YES NO
3rd Parties ASV Scan
Remediate
exist? passed?

NO Provide Barclaycard with

Exec Summary Report

Finalise Gap Analysis

& Remediation Plan

• Complete Gap Analysis (in conjunction with

QSA if necessary)
A
• Define Remediation Activity

Check All 3rd Check Visa/ MasterCard for Provide Barclaycard with
Parties Contracts 3rd party accreditation Project/ Remediation Plan

Revise Contracts if necessary

NO
3rd Party to Implement Compliant 3rd Parties
accredited? Merchant to Implement
Solution or Merchant to select
Compliant Solution
alternative compliant 3rd Party
YES Use recommended
prioritised steps

• On site final audit

undertaken by QSA, OR
• Self Assessment complete
PCI DSS Final Register Compliance
Repeat Annually
Audit undertaken with Barclaycard
 Prioritisation Checklist for PCI DSS Compliance

Barclaycard recommend that the following prioritisation checklist be used by merchants to help
them with their compliance programme planning activity:

1. Undertake an initial evaluation of the anticipated impacts of PCI DSS on the merchant and
its third parties

2. Choose an QSA or ASV (if any internet applications are used)

3. Train resources on PCI DSS (Free Webinars are available from MasterCard)

4. Develop a plan to move towards PCI DSS compliance

5. Remove sensitive authentication data and limit data retention

6. Protect the perimeter, internal and wireless networks

7. Secure application

8. Protect through monitoring and access control

9. Protect remaining cardholder data (PAN and expiry date) through encryption or masking

10. Archieve and maintain final PCI DSS compliance

Share your plans with Barclaycard, and any actions taken and issues being faced.
 Visual Status Matrix for PCI DSS Compliance

Merchant Status Details

COMPLIANT • Internal Audit Completed and passed (Level 1)

• Successfully completed SAQ (Level 2-3-4)
• Passing Quarterly Network scans

IN PROGRESS • Has QSA or agreed Independent Assessment.

• Completed gap analysis
• Action plan and remediation plan in place.
• Indication of final audit/compliance date
• Passing quarterly network scans (using an ASV)

COMMITTED • Has QSA or agreed Independent Assessment.

• Gap analysis complete and preparing remediation
plan/seeking budgetv
• Performing network scans (ASV)

PREPARING • Contacted by acquirer

• Gap analysis in progress

NON-COMPLIANT • Unable to make contact

• Merchant unwilling/ unable to progress
 Useful Links for PCI DSS Compliance

What? Who? Link

PCI Standard Security PCI SSC https://www.pcisecuritystandards.org/

Council (SSC) web site

PCI DSS Standard and PCI SSC https://www.pcisecuritystandards.org/security_standards/

supporting documents pci_dss.shtml
available for download

Free Network MasterCard http://www.mastercard.com/us/sdp/special_offers_and_

Vulnerability Scan promotions/index.html

Barclaycard Merchant Barclaycard/ http://www.mastercard.com/us/sdp/education/

Education & Awareness MasterCard pcibarclaycard/index.html
Programme (Free offline
Webinars)

Barclaycard PCI DSS Barclaycard http://www.barclaycardbusiness.co.uk/information_zone/

Resource Centre security/pci_dss.html

360 Degree View on PCI... MasterCard http://www.iian.ibeam.com/events/mast001/24008/

A Series of Payment Card
Industry Discussions

MasterCard Merchant MasterCard http://www.iian.ibeam.com/events/mast001/24008/

Education Programme

AIS: Visa’s compliance VISA http://www.visaeurope.com/aboutvisa/security/ais/main.jsp

programme

MasterCard SDP programme MasterCard http://www.mastercard.com/us/sdp/index.html

OWASP Article: Handling E- OWASP http://www.owasp.org/index.php/Handling_E-Commerce_

commerce Payments Payments

Self Assessment PCI SSC https://www.pcisecuritystandards.org/pdfs/instructions_

Questionnaire (SAQ) guidelines_v1-1.pdf
Instructions and Guidelines

SAQ (select type A, B, C or D) PCI SSC https://www.pcisecuritystandards.org/saq/instructions.shtml

List of Approved QSAs PCI SSC https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf

List of Approved ASVs PCI SSC https://www.pcisecuritystandards.org/pdfs/asv_report.html

List of Certified Service VISA http://www.visaeurope.com/documents/ais/visa_europe_ais_

Providers certified_service_providers_18082008.pdf

List of Validated Payment VISA http://www.visaeurope.com/documents/ais/list_of_visa_

Applications europe_payment_applications_05092008.pdf