Managing Your PCI DSS Compliance StatusComplying with all 220+ PCI requirements involves much more than a point-in-time assessment or filling out the Self-Assessment Questionnaire. True compliance must be maintained year round. The PCI DSS mandates that organizations perform literally hundreds of compliance tasks on a daily, weekly, monthly, quarterly and annual basis.

Some examples are given below: •Daily: Audit log review, Backup media, Anti-virus updates, Physical security access

logs, etc. •Weekly: File integrity monitoring, Firewall management, etc. • Monthly: Password changes, Patch management, Configuration review, etc. •Quarterly: Internet vulnerability scans, User account review, Firewall rule set review,

etc. •Annual: On-site audit, Penetration test, Policy and procedure review, Third-party

contracts, etc.

Insight PCI Compliance PortalThe Insight PCI Compliance Portal is an annual subscription service that helps clients properly interpret and apply PCI requirements and then track their compliance status throughout the year. As a result, clients are able to more efficiently and effectively mitigate risk to cardholder data and achieve and maintain compliance.

Online Resources •PCIDSSKnowledgeBase–Insight’speerreviewedknowledgebaseprovides

detailed guidance on each PCI requirement. In addition, it is searchable, enabling users to significantly reduce time spent on compliance administration. For example, users can sort the requirement by role, by test type, by free text search and generate predefined reports.

•ComplianceTaskManagement&EvidenceRepository–Insight’scompliancetaskmanagement functionality enables users to identify PCI-mandated compliance tasks, assign them to users or groups, notify users or groups via e-mail, collect status updates, and generate management reporting. By automating compliance task management, organizations gain efficiencies and reduce the risk of unintentionally falling out of compliance. Once compliance has been noted for each task, the supporting evidence can be uploaded into the system for future compliance validation activities.


•News–Insightprovidesdailynewsupdatesoncardholderdatarelatedtopicssuchas security incidents, legal cases, card brand updates, new reports and threat trends, etc. A quarterly newsletter provides more in-depth analysis of important legal trends, incidents, and technical compliance topics.

•ProgramPlan–Insight’sprogramplanningtemplatecanbeusedtorefinePCIDSSprogram management processes. The template covers organization, risk analysis, scoping, internal assessment, remediation, testing, and maintenance.

•RiskAnalysisModel–Theriskanalysismodelenablesorganizationstoquantifytheirannual loss expectancy from a cardholder data breach. Whether the model is used qualitatively or quantitatively, it helps executives size the risk posed by cardholder data.

•OtherResources–InsightmaintainslinkstoavarietyofhelpfulresourcesfromthePCI Security Standards Council, the card brands, the FTC, states, etc.

On-Demand ConsultingWhile most requirements will be straightforward to a skilled IT security professional, particularlywiththeassistanceprovidedbyInsight’sPortal,somequestionswillinevitablyremainunanswered.Insight’sinquirysystemhelpsprovideanswers.

Submission: Clients can submit a written inquiry through the Inquiry Tracking System. This ensures the following: •TheinquirycanbeassignedtotheExecutiveAnalystmostfamiliarwiththesubject •TheassignedExecutiveAnalystcancarefullyconsiderhis/herresponse •Insightcantracktheresponseandensurethatitisdeliveredpromptly •Theclientreceivesawrittenresponsetoavoidmisunderstandings •Responsesarearchivedforlaterreference

Committed Response Time: Insight will respond to “routine” inquiries within three (3) business days. In the event that Insight needs to consult with an external party or conduct extensive research, Insight will notify the client that the inquiry is “extraordinary” and will respond within five (5) business days. If Insight fails to respond to a “routine” or “extraordinary” inquiry within the service level agreement, Insight will provide the answer free of charge (the inquiry will not be deducted from the total purchased).

Follow-up: In the event that the client is unsatisfied with the answer or has additional follow-up questions, the client has the option to submit a clarification in writing or request a conferencecall.Eitherway,noadditionalchargewillapplyasthisisstillconsideredpartofthe original inquiry.

Training ResourcesTheInsightPCIComplianceManagementPortalincludesanoptionallylicensedonlinetraining center. These self-guided courses serve to educate IT staff and business owners about their PCI obligations. There is also an employee awareness training course that satisfies the PCI requirement to provide such training to all employees who work with cardholder data. All courses conclude with a knowledge assessment and management reporting is available to ensure that the training resources are effectively used.

•ITProfessionalTrainingCourse–SpecificcoursemodulesaredirectedatthevariousIT roles including network, application and system administrators and security management personnel. Total time for all modules is typically between 4 and 12 hours and concludes with a knowledge assessment for each module.

•RiskOwnerTrainingCourse–Thiscourseisintendedforbusinessmanagementpersonnel with a responsibility over the business functions that interact with cardholder data.

•End-userSecurityAwarenessCourse–Thistrainingcourseisintendedfortheretailemployee that works with cardholder data during their daily activities.

