Information Supplement • PCI Mobile Payment Acceptance Security Guidelines •
Best Practices for Maintaining
PCI DSS Compliance
18-Jan-2019 Error! Unknown document Page 1 of
51
, Information Supplement • Best Practices for Maintaining PCI DSS Compliance •
January 2019
Document Changes
Date Version Description
August 1.0 Initial release
2014
January 2.0 Updated by 2018 Maintaining PCI DSS Compliance SIG.
2019 Changes include:
• Restructure of the document for better flow (e.g.,
consolidation of Section 2, and moving Section 4.2 as to
Section 3).
• New guidance on compliance program, scope and
compensating control review, best practices to maintain
evidence of security control effectiveness, security
awareness, and monitoring compliance of third-party
service providers.
• Added Appendix C to assist with identifying applicable
PCI DSS requirements to asset types, and Appendix D
to manage compliance monitoring activities.
• Updated guidance on responsibility for compliance,
risk assessment, automated and manual control
monitoring, review frequency, and sampling of
controls.
• Enhanced guidance on measuring efficiency and
effectiveness of security controls.
• Standardized terminology throughout the document.
• Updated references to PCI SSC and external resources.
• Minor grammatical updates.
The intent of this document is to provide supplemental information. ii
Information provided here does not replace or supersede requirements in
any PCI SSC Standard.
, Information Supplement • Best Practices for Maintaining PCI DSS Compliance •
January 2019
Table of Contents
1 Introduction.......................................................................................................................................................... 4
1.1 Intended Audience..................................................................................................................... 4
1.2 Terminology.............................................................................................................................. 4
1.3 Summary of Recommendations................................................................................................. 6
2 Challenges to Maintaining Compliance............................................................................................................. 9
3 Best Practices for Maintaining PCI DSS Compliance.....................................................................................12
3.1 Develop and Maintain a Sustainable Security Program............................................................12
3.2 Develop Program, Policy, and Procedures...............................................................................12
3.3 Develop Performance Metrics to Measure Success..................................................................14
3.4 Assign Ownership for Coordinating Security Activities.............................................................20
3.5 Emphasize Security and Risk Management to Attain and Maintain Compliance......................22
3.6 Continuously Monitor Security Controls...................................................................................28
3.7 Detect and Respond to Security Control Failures.....................................................................45
3.8 Maintain Security Awareness................................................................................................... 47
3.9 Monitoring Compliance of Third-Party Service Providers.........................................................49
3.10 Evolve the Compliance Program to Address Changes............................................................51
4 Commitment to Maintaining Compliance........................................................................................................ 56
Appendix A: Sample of Industry-Standard Security Frameworks....................................................................58
Appendix B: Common Assessment Roles & Responsibilities.........................................................................61
Appendix C: Applicability of PCI DSS Requirements to Assets Type.............................................................64
Appendix D: PCI DSS Compliance Program Activities.....................................................................................66
Acknowledgments................................................................................................................................................ 81
Recommended References.................................................................................................................................. 82
About the PCI Security Standards Council........................................................................................................ 83
The intent of this document is to provide supplemental information. ii
Information provided here does not replace or supersede requirements in
any PCI SSC Standard.
, Information Supplement • Best Practices for Maintaining PCI DSS Compliance •
January 2019
1 Introduction
Since the inception of the Payment Card Industry Data Security Standard (PCI DSS),
compliance with PCI DSS has steadily increased among organizations that store, process,
and transmit cardholder data. The increase in PCI DSS compliance rates can likely be
attributed to increased awareness of the standard, evolutions in card brand compliance
programs and mandates, and an overall increase in the maturity of PCI DSS. However,
despite these improvements, statistics show that most of these organizations still have
1
yet to master ongoing PCI DSS compliance.
If organizations want to protect themselves and their customers from potential losses or
damages resulting from a data breach, they must strive for ways to maintain a
continuous state of compliance throughout the year rather than simply seeking point-in-
time validation. A study conducted by Verizon from 2011 to 2017,2 on organizations that
had a data breach, showed that many of the organizations that were assessed as being
non-compliant at the time of their breach had successfully complied during their
previous PCI DSS assessment and had lapsed into non-compliance. Through a
combination of people, processes, and technology, organizations must incorporate
continuous security and compliance practices into their culture and daily operational
activities.
The objective of this document is to provide guidance on best practices for maintaining
ongoing compliance with PCI DSS. The focus is to provide organizations with
recommendations to plan for continuous compliance as opposed to a point-in-time, annual
assessment approach.
The information in this document is intended as supplemental guidance and does not
supersede, replace, or extend requirements in any PCI SSC standards, nor does it
endorse the use of any specific technologies, products, or services. While all references
made in this document are to PCI DSS version 3.2.1, the general principles and practices
offered here may be applied beyond the context of PCI DSS.
1.1 Intended Audience
This guidance is intended for organizations seeking to better understand how to
maintain compliance with PCI DSS. Examples include merchants, service providers,
acquirers (merchant banks), and issuers. This guidance assumes readers are familiar
with the PCI DSS requirements, testing procedures, and scoping guidance, and possess a
basic understanding of computer information systems, networking technologies, and
general IT principles and terminology.
1.2 Terminology
Please refer to the PCI DSS Glossary, Terms, Abbreviations, and Acronyms 3 for terms and
The intent of this document is to provide supplemental information. 4
Information provided here does not replace or supersede requirements in
any PCI SSC Standard.
Best Practices for Maintaining
PCI DSS Compliance
18-Jan-2019 Error! Unknown document Page 1 of
51
, Information Supplement • Best Practices for Maintaining PCI DSS Compliance •
January 2019
Document Changes
Date Version Description
August 1.0 Initial release
2014
January 2.0 Updated by 2018 Maintaining PCI DSS Compliance SIG.
2019 Changes include:
• Restructure of the document for better flow (e.g.,
consolidation of Section 2, and moving Section 4.2 as to
Section 3).
• New guidance on compliance program, scope and
compensating control review, best practices to maintain
evidence of security control effectiveness, security
awareness, and monitoring compliance of third-party
service providers.
• Added Appendix C to assist with identifying applicable
PCI DSS requirements to asset types, and Appendix D
to manage compliance monitoring activities.
• Updated guidance on responsibility for compliance,
risk assessment, automated and manual control
monitoring, review frequency, and sampling of
controls.
• Enhanced guidance on measuring efficiency and
effectiveness of security controls.
• Standardized terminology throughout the document.
• Updated references to PCI SSC and external resources.
• Minor grammatical updates.
The intent of this document is to provide supplemental information. ii
Information provided here does not replace or supersede requirements in
any PCI SSC Standard.
, Information Supplement • Best Practices for Maintaining PCI DSS Compliance •
January 2019
Table of Contents
1 Introduction.......................................................................................................................................................... 4
1.1 Intended Audience..................................................................................................................... 4
1.2 Terminology.............................................................................................................................. 4
1.3 Summary of Recommendations................................................................................................. 6
2 Challenges to Maintaining Compliance............................................................................................................. 9
3 Best Practices for Maintaining PCI DSS Compliance.....................................................................................12
3.1 Develop and Maintain a Sustainable Security Program............................................................12
3.2 Develop Program, Policy, and Procedures...............................................................................12
3.3 Develop Performance Metrics to Measure Success..................................................................14
3.4 Assign Ownership for Coordinating Security Activities.............................................................20
3.5 Emphasize Security and Risk Management to Attain and Maintain Compliance......................22
3.6 Continuously Monitor Security Controls...................................................................................28
3.7 Detect and Respond to Security Control Failures.....................................................................45
3.8 Maintain Security Awareness................................................................................................... 47
3.9 Monitoring Compliance of Third-Party Service Providers.........................................................49
3.10 Evolve the Compliance Program to Address Changes............................................................51
4 Commitment to Maintaining Compliance........................................................................................................ 56
Appendix A: Sample of Industry-Standard Security Frameworks....................................................................58
Appendix B: Common Assessment Roles & Responsibilities.........................................................................61
Appendix C: Applicability of PCI DSS Requirements to Assets Type.............................................................64
Appendix D: PCI DSS Compliance Program Activities.....................................................................................66
Acknowledgments................................................................................................................................................ 81
Recommended References.................................................................................................................................. 82
About the PCI Security Standards Council........................................................................................................ 83
The intent of this document is to provide supplemental information. ii
Information provided here does not replace or supersede requirements in
any PCI SSC Standard.
, Information Supplement • Best Practices for Maintaining PCI DSS Compliance •
January 2019
1 Introduction
Since the inception of the Payment Card Industry Data Security Standard (PCI DSS),
compliance with PCI DSS has steadily increased among organizations that store, process,
and transmit cardholder data. The increase in PCI DSS compliance rates can likely be
attributed to increased awareness of the standard, evolutions in card brand compliance
programs and mandates, and an overall increase in the maturity of PCI DSS. However,
despite these improvements, statistics show that most of these organizations still have
1
yet to master ongoing PCI DSS compliance.
If organizations want to protect themselves and their customers from potential losses or
damages resulting from a data breach, they must strive for ways to maintain a
continuous state of compliance throughout the year rather than simply seeking point-in-
time validation. A study conducted by Verizon from 2011 to 2017,2 on organizations that
had a data breach, showed that many of the organizations that were assessed as being
non-compliant at the time of their breach had successfully complied during their
previous PCI DSS assessment and had lapsed into non-compliance. Through a
combination of people, processes, and technology, organizations must incorporate
continuous security and compliance practices into their culture and daily operational
activities.
The objective of this document is to provide guidance on best practices for maintaining
ongoing compliance with PCI DSS. The focus is to provide organizations with
recommendations to plan for continuous compliance as opposed to a point-in-time, annual
assessment approach.
The information in this document is intended as supplemental guidance and does not
supersede, replace, or extend requirements in any PCI SSC standards, nor does it
endorse the use of any specific technologies, products, or services. While all references
made in this document are to PCI DSS version 3.2.1, the general principles and practices
offered here may be applied beyond the context of PCI DSS.
1.1 Intended Audience
This guidance is intended for organizations seeking to better understand how to
maintain compliance with PCI DSS. Examples include merchants, service providers,
acquirers (merchant banks), and issuers. This guidance assumes readers are familiar
with the PCI DSS requirements, testing procedures, and scoping guidance, and possess a
basic understanding of computer information systems, networking technologies, and
general IT principles and terminology.
1.2 Terminology
Please refer to the PCI DSS Glossary, Terms, Abbreviations, and Acronyms 3 for terms and
The intent of this document is to provide supplemental information. 4
Information provided here does not replace or supersede requirements in
any PCI SSC Standard.
