By Jason McWhirr, Information Security Consultant
What is the PCI DSS Prioritised Approach?
Merchants with more complex payment systems or payment processes that do not fit into the shortened SAQs (A, A-EP, B, B-IP, C & P2PE) are required to complete SAQ D or may require an on-site assessment (for merchants with larger amounts of transactions).
These questionnaires can take extended periods of time for a merchant to complete as company payment processes, IT systems and service providers may need substantial changes to be made to become PCI DSS compliant.
The PCI Council recognises this, and to help merchants working towards compliance they introduced the Prioritised Approach document. This document provides a roadmap for merchants to help them prioritise their compliance efforts in the most critical risk areas of PCI DSS.
The main focus is on the protection of cardholder data, establishing security milestones, and lowering the risk of a cardholder data breach.
In addition to the Prioritised Approach document and to help merchants, the PCI SSC also created the Prioritised Approach Tool. This is a worksheet that merchants can use to easily document their progress. The Prioritised Approach document is updated each time the PCI DSS is revised, currently version 3.2. The latest document will always be found here.
How does it help merchants?
Rather than using the 12 PCI DSS requirements, the Prioritised Approach document uses 6 security milestones to target the highest risks to the merchant’s cardholder data and systems. The matrix below summarises the high-level goals for each milestone;
The Prioritised Approach worksheet shows the milestones above numbered and colour coded, linked to the PCI DSS requirements that have the highest risk to cardholder data.
The worksheet is designed to assist an initial gap analysis for a merchant’s payment systems, with answers being either ‘YES’, Not Applicable, or ‘NO’, with additional fields for non-applicability, and for non-compliant answers with estimated dates for completion.
Information on requirements is kept minimal with the labels only giving a short description of the requirement – for more information always refer to the actual PCI DSS document for more detailed guidance.
Figure 2 – PCI DSS Prioritised Approach worksheet
The document creates a better understanding of how compliance is needed to protect cardholder data, creates manageable prioritised areas, and creates percentage scores to monitor compliance achievements for each milestone;
Figure 3 – PCI DSS Prioritised Approach Summary
The Prioritised Approach document is an aid for merchants on their route to comply with the PCI DSS. It provides them with a measurable level of progress that they can use to demonstrate to their acquirer and within their organisation of the steps that they are taking towards meeting their PCI DSS compliance.
On completion of the required steps, the merchant will then need to complete their relevant PCI compliance documentation to report their compliance with the standard.
How does it help an Acquirer?
A merchant may be working to compliance correctly but it can be difficult for them to show their progress – the Prioritised Approach demonstrates this very well. It also highlights the merchants risk in certain areas, and shows the estimated completed date of each milestone.
One of the main issues with compliance is that a merchant’s PCI compliance project sometimes doesn’t stay on track. Submitted Prioritised Approach worksheets will indicate if the merchant is making progress compared to their last submission, making it easier for acquirers to monitor their merchant’s compliance efforts.
To help merchants understand PCI DSS and their compliance requirements, Sysnet’s merchant support services;
- Describe PCI DSS, its requirements, and relevance to merchants & acquirers.
- Describe how scoping payment channels can reduce the complexity of compliance.
- Walk through the merchant’s payment processes to understand how cardholder data is stored, processed and transmitted by the merchant.
- Help the merchant understand what is, and isn’t in scope for PCI DSS in each of their payment channels (Ecommerce, Face-to-Face and Mail Order/Telephone Order (MOTO)).
- Help the merchant understand the PCI DSS implications for their current payment systems and processes.
- Advise the merchant on possible ways to reduce the PCI DSS scope by making payment process changes or using technology to remove cardholder data from their systems.
Often, the outcome of a merchant engagement will be that the merchant understands what needs to be done to become compliant and is able to complete their journey to compliance themselves. Merchants who have relatively simple payment channels may be able to work through the easier, shortened PCI Self-Assessment Questionnaires (SAQs) (if applicable) directly before self-certification or on-site assessment.
Other merchants with more complex systems may need more time to work towards becoming compliant. Sysnet always recommend the use of the PCI Prioritised Approach document for this scenario.
If you are a merchant that requires technical or PCI DSS help, please click here