Risk Based Approach to PCI DSS
The PCI Compliance industry is moving towards a risk based approach for PCI DSS validation of computer systems, software, and processes to streamline compliance costs while optimizing procedures. Companies that develop a risk based approach by categorizing risks and respective plans for the PCI compliance program expect to achieve the benefits that the methodology provides. Benefits of the risk based approach for PCI compliance include the development of documentation standards, reduced testing in the risk based environment and reduced time and effort from task differentiation, maintenance and optimization.
PCI Compliance Security Procedures
Even though PCI DSS and related PCI compliance activities broadly address risk-based approaches, certain aspects of the initiative should focus primarily on implementing specific risk based approaches. To ensure that a risk management approach is applied to allocating PCI compliance officer resources, companies should develop a quantitative risk-based-selection model for use in selecting managed devices for audit. The PCI compliance program can serve as a model or basis for various types of payment card transactions which will help predict where PCI audit inspections are most likely to achieve the greatest impact. Compliance models should include risk factors relating to the managed devices (such as the compliance history) and to the type of credit card processing involved. Risk factors relating to the specific device and the level of process understanding should also be considered.
PCI Compliance Best Practices
Separation of Duties is an enforcement process to prevent the occurrence of conflicts of interest and is among the most important fraud prevention PCI compliance best practices that is often ignored. Based on the concept of mutually exclusive roles, organizations restrict an individual PCI compliance officer or internal audit group from conducting all phases of the compliance audit, thus ensuring security without concerning about the activities of other PCI compliance security procedures and risk management audit activities.