Understand the scope, risks and timelines
One of the biggest challenges for organisations is to accurately understand their scope for PCI DSS. Even if you do not directly store, process, or transmit cardholder data, but you accept credit or debit cards as payment or you impact the security of someone else’s cardholder data environment (CDE) you still have certain obligations under PCI DSS. The key thing is to be able to show the transaction flow and have accurate network diagrams so that the assessor can accurately validate what they think your scope is.
Cyber-Risk Oversight also plays a big part in any PCI project. It’s important to understand how each of the organisations and teams you are working with view PCI risk and how. Acquirers want to ensure that you do not have a cardholder data breach. Having a breach puts your ability to take payments at risk.
Sometimes it’s easy to forget the end consumer when thinking about risk. They are the ones who at the end of the day risk their personal card information being stolen by a malicious third party – something not only inconvenient, but stressful and time consuming to address.
It’s also important to understand what timelines everyone is working towards. Our biggest recommendation on this is to engage your bank, service providers, and internal teams early in the PCI process. All of these parties want you to achieve compliance and will be more than willing to discuss a reasonable timeline to achieve this.