Remember all the things you used to do in college to prepare for final exams? You took preparation quizzes and reviewed only the topics you knew would be on the exam, and you usually passed.

Preparing for a Payment Card Industry Data Security Standard (PCI DSS) audit is not that different. But in the real world, you may be “tested” on items that aren’t on the exam.

So what’s the best way to respond to PCI requirements? Be practical. Do what you have to do, and do what you really should do. Remember, it’s ultimately to your benefit to pass a PCI audit. The obvious motivator is the stiff fines you can incur for noncompliance. Under the compliance acceleration program, Tier 1 merchants that fail to meet compliance by September 30 of this year will be hit with fines starting at $25,000 per month.

And those are just the fines. The costs associated with credit card data breaches can be staggering. The TJX (holding company for many well-known retailers) case, disclosed in January 2007, involved the theft of more than 45.6 million credit card and debit card numbers and is generally regarded as the worst consumer data breach in recent history. So far, the retailer has paid out $5 million for investigation and security, and the final tally of losses is still not in.

But beyond avoiding heavy penalties and costly data breaches, PCI compliance is good for business. You’ll get more favorable transaction fees, and you’ll keep your customers safe, secure, and confident every time they do business with you. As an added bonus, you’ll gain better visibility into your IT infrastructure and security controls.

Your PCI compliance priorities should be to:

1. Pass the audit, so that you don't get penalized
2. Prevent any infraction that would violate the intent of the regulation
3. Ensure a sustainable process for both PCI compliance and information security

The following table summarizes these requirements, which are detailed on the PCI Security Standards Council web site: https://www.pcisecuritystandards.org/.

2. Prevent Infractions of Cardholder Data
Obviously, this is the whole point of the PCI standard—to protect cardholder data. Regardless of your audit results, if your organization experiences a PCI data breach, it is liable and will certainly be penalized. In other words, passing a PCI audit doesn’t mean you are “protected” in way, shape, or form. PCI DSS was developed and is being enforced to reduce risk associated with business processes that involve cardholder data. PCI compliance may reduce risk, but it doesn’t give you amnesty for future data breaches.

3. Ensure a Sustainable Process
PCI compliance is not a one time thing. If you want to continue doing business with the cardholder data you have, you need to continue demonstrating PCI compliance. This is why your process to demonstrate and maintain compliance must be sustainable.

A Practical Response to PCI Requirements
The challenges associated with PCI compliance require a response that is practical to implement. It must take into account your existing investments, business process requirements, expertise among personnel, and of course, budget. The table below highlights practical responses to each of these PCI compliance challenges.

PCI Compliance Challenge	Practical Response
1. Pass the PCI audit, so that you don’t get penalized. Qualified Security Assessor (QSA) for Level 1 merchants Approved Scanning Vendor (ASV), self-assessment questionnaire for all merchants	Partner with strategic vendors like McAfee that provide product and service offerings that cover as many of the 12 PCI categories as possible Assess and modify internal processes to address all 12 categories of PCI Select QSA and ASV services from vendors that have a track record in performing detailed security and vulnerability assessments for both internal and external networks
2. Prevent any infraction that would violate the intent of the regulation. Protect cardholder data with all reasonable means	Employ a layered security model using technology that addresses the systems, network, and data components that host PCI data Initiate employee awareness programs to educate your staff on how cardholder data should and should not be handled
3. Ensure a sustainable process for both PCI compliance and information security. Don’t create a burden on IT and business resources in the course of achieving PCI compliance	Seek operational efficiency to minimize impact on resources—both personnel and budgetary—through manageable and integrated solutions: Automate as much of the policy, process, and technology components of PCI as possible Implement centrally managed solutions for these components Minimize locations where policies are stored and updated

Take a Closer Look at McAfee for PCI Compliance
Given the complexity around protecting cardholder data and the coverage of policy, process and technology (“P-P-T”) by PCI DSS, there’s no silver bullet for PCI DSS compliance. But by partnering with the right strategic vendors, you can benefit from certain levels of automation of these P-P-T components and take advantage of other capabilities offered by their solutions, such as manageability and integration.

McAfee recently launched its Easy PCI Plan to immediately help Level 2 merchants meet their compliance deadline of September 30 and prepare for the holiday season, running from Thanksgiving (in North America) through after New Year’s Day. But this “easy” plan is not limited to Level 2 merchants. Any entity that touches cardholder data is required to be PCI compliant and can benefit from partnering with McAfee to pass their audits.

That said, it’s not just about passing the PCI audit. The idea is for businesses to implement a layered security strategy that sustains protection and compliance, to follow industry best practices to prevent loss of sensitive credit card data, and to build customer trust.

The table below summarizes the functional areas of these products and shows how McAfee can partner with you to pass PCI compliance audits with flying colors and gain operational efficiencies in your IT infrastructure controls that will help you maintain compliance with other regulations and frameworks.

PCI General Requirement	PCI Detailed Requirements	McAfee-PCI Direct Mapping
Build and maintain a secure network	2. Do not use vendor-supplied defaults for system passwords and other security parameters	2. McAfee Remediation Manager Agent-based software remediation of systems to correct policy violations and fix vulnerabilities
Ensure the maintenance of vulnerability management programs	5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications	5: McAfee Total Protection™ Enterprise—Advanced Agent-based software includes anti-virus, anti-spyware, personal firewall, McAfee Host Intrusion Prevention (HIPS), and McAfee Network Access Control (NAC), and McAfee ePolicy Orchestrator® McAfee ePolicy Orchestrator Centralized management platform providing single console management for McAfee Total Protection Enterprise and McAfee Data Loss Prevention Host, asset information for McAfee Foundstone®, agent deployment for McAfee Policy Auditor and McAfee Remediation Manager, and policy management for McAfee Secure Internet Gateway McAfee Secure Internet Gateway Integrated security application for web, email, and data loss prevention 6: McAfee Foundstone Enterprise Network-based vulnerability management appliance McAfee Policy Auditor Agent-based software audits of IT controls to determine policy violations McAfee Remediation Manager
Regularly monitor and test networks	11. Regularly test security systems and processes	11. McAfee IntruShield Network intrusion prevention system (IPS) appliance McAfee Foundstone Professional Services Business consulting: Health Checks, Program Development Technology Consulting: Software Application Security, Network Assessments McAfee Foundstone Enterprise Network-based vulnerability management appliance McAfee Total Protection Enterprise—Advanced Agent-based software includes anti-virus, anti-spyware, personal firewall, McAfee Host Intrusion Prevention (HIPS), and McAfee Network Access Control (NAC), and McAfee ePolicy Orchestrator®