Maintain an information security program

In addition to the preceding security recommendations, a comprehensive approach to assessing and maintaining the security compliance of the payment application environment is necessary to protect the organization and sensitive cardholder data.

The following is a very basic plan that every merchant or service provider should adopt in developing and implementing a security policy and program:

• Read the PCI DSS in full and perform a security gap analysis. Identify any gaps between the existing practices in your organization and those outlined by the PCI requirements.
• After the gaps are identified, determine the steps to close the gaps and protect cardholder data. Changes could mean adding new technologies to shore up firewall and perimeter controls, or increasing the logging and archiving procedures associated with transaction data.
• Create an action plan for ongoing compliance and assessment.
• Implement, monitor, and maintain the plan. Compliance is not a one-time event. Regardless of the merchant or service provider level, all entities should complete annual self-assessments using the PCI Self Assessment Questionnaire.
• Call in outside experts, as required.