{"id":172,"date":"2014-08-23T01:51:03","date_gmt":"2014-08-23T01:51:03","guid":{"rendered":"http:\/\/outworx.com\/blog\/?p=172"},"modified":"2017-01-20T07:52:22","modified_gmt":"2017-01-20T07:52:22","slug":"seven-lessons-learned-from-pci","status":"publish","type":"post","link":"https:\/\/www.outworx.com\/blog\/seven-lessons-learned-from-pci\/","title":{"rendered":"Seven Lessons Learned from PCI"},"content":{"rendered":"

OutworX became a PCI-capable development organisation quite some time ago.\u00a0 Those who have trod the road to PCI compliance know that it is not an easy task.\u00a0 Here are some reflections on lessons we learned along the way, these will help you:<\/p>\n

1. Read the PCI Specs Yourself<\/span><\/strong><\/h3>\n

You’ll often see the PCI DSS (Data Security Standsummarisedrized by 12 points.\u00a0 But each of those points contains many more requirements within it.\u00a0 Before you are done, you will actually need to deal with several hundred requirements.\u00a0 You’ll need to read the specs to find out all of your obligations.\u00a0 You’ll also need that knowledge to judge how well your internal team and partners are doing on PCI compliance.<\/p>\n

You can find the PCI specifications here<\/a>.<\/p>\n

2. Get Advice From an PCI QSA (Qualified Security Assessor)<\/span><\/strong><\/h3>\n

As you implement PCI, you are going to have questions.\u00a0 Have a QSA firm onboard early to help you through the process and answer those questions.\u00a0 There are many good firms out there.\u00a0 We worked with Coalfire<\/a>, and found them helpful.\u00a0 Trustwave<\/a> also has PCI programs.<\/p>\n

3. Train Your Developers (and Keep Training Them)<\/strong><\/span><\/h3>\n

Most developers are not trained in secure coding practices.\u00a0 You’ll have to train them, or they simply won’t be able to produce the secure code that is required.<\/p>\n

We used online training available from the Coalfire partner AppSec Consulting<\/a>.<\/p>\n

The gold standard in security training is the SANS Institute<\/a>.\u00a0 Their courses are more in depth, and also more expensive.<\/p>\n

Since the threat landscape is always changing, you will need to periodically give your developers additional training.<\/p>\n

4. PCI Transforms Development and IT<\/span><\/strong><\/h3>\n

PCI is not something that you merely add on to your development and IT (or your DevOps).\u00a0 It is something that changes the way you work.<\/p>\n

Developers must always be conscious of security in their designs and coding.\u00a0 Security needs to be baked in, and not added as an afterthought.<\/p>\n

Likewise, IT has to be good at security.\u00a0 They’ll need an arsenal of tools to harden systems, keep patches up to date, and look for breaches.\u00a0 They’ll need plans to respond to breaches, and should know what outside security firms to go to if they need help.\u00a0 They will need to consider PCI and security for every new system and network that is in scope for PCI.<\/p>\n

PCI takes most developers and IT people to a much higher level of security awareness, and demand a lot from them.<\/p>\n

5. PCI is an Ongoing Commitment, not a One Time Checklist<\/span><\/strong><\/h3>\n

Here is where many companies miss it.\u00a0 It is easy to make a long checklist out of the PCI requirements, to focus on just barely meeting them for the audit, and then forget about them until the next audit.\u00a0 But this is the wrong approach.<\/p>\n

The goal of PCI is to create a secure environment that protects credit card data.\u00a0 And that is not a one time (or yearly) event but an ongoing process that takes continual effort.\u00a0 The bad guys are constantly working on ways to break in.\u00a0 You need to be constantly working on keeping them out.<\/p>\n

6. PCI Requires More Time and Money Than You Originally Planned<\/span><\/strong><\/h3>\n

We under estimated the amount of time and money needed to achieve compliance.\u00a0 We have seen other companies do the same.\u00a0 So don’t be surprised if you wind up dedicating more resources to PCI than you originally anticipated.\u00a0 Keep the ultimate goal of security in mind, and you’ll make it.<\/p>\n

7. A Touch of Security Fanaticism is a Good Thing<\/span><\/strong><\/h3>\n

The bad guys are very good at what they do, which is breaking into your systems.\u00a0 So don’t be afraid to be somewhat fanatical on security.\u00a0 Don’t be complacent or take short cuts thinking, It won’t happen to me.\u00a0 If you read about a vulnerability that was exploited, and you know that you have that same one, then fix it ASAP.\u00a0 Secure your systems the best you know how, and then look for ways to make them even more secure.<\/p>\n","protected":false},"excerpt":{"rendered":"

OutworX became a PCI-capable development organisation quite some time ago.\u00a0 Those who have trod the road to PCI compliance know that it is not an easy task.\u00a0 Here are some reflections on lessons we learned along the way, these will help you: 1. Read the PCI Specs Yourself You’ll often see the PCI DSS (Data … Continue reading “Seven Lessons Learned from PCI”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"xn-wppe-expiration":[],"xn-wppe-expiration-action":[],"xn-wppe-expiration-prefix":[],"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0},"categories":[15,14],"tags":[],"acf":[],"yoast_head":"\nSeven Lessons Learned from PCI | OutworX<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.outworx.com\/blog\/seven-lessons-learned-from-pci\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Seven Lessons Learned from PCI | OutworX\" \/>\n<meta property=\"og:description\" content=\"OutworX became a PCI-capable development organisation quite some time ago.\u00a0 Those who have trod the road to PCI compliance know that it is not an easy task.\u00a0 Here are some reflections on lessons we learned along the way, these will help you: 1. Read the PCI Specs Yourself You’ll often see the PCI DSS (Data … Continue reading "Seven Lessons Learned from PCI"\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.outworx.com\/blog\/seven-lessons-learned-from-pci\/\" \/>\n<meta property=\"og:site_name\" content=\"OutworX\" \/>\n<meta property=\"article:published_time\" content=\"2014-08-23T01:51:03+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2017-01-20T07:52:22+00:00\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.outworx.com\/blog\/#website\",\"url\":\"https:\/\/www.outworx.com\/blog\/\",\"name\":\"OutworX\",\"description\":\"Blogs, News and Updates of IT Industry | OutworX\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.outworx.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.outworx.com\/blog\/seven-lessons-learned-from-pci\/#webpage\",\"url\":\"https:\/\/www.outworx.com\/blog\/seven-lessons-learned-from-pci\/\",\"name\":\"Seven Lessons Learned from PCI | OutworX\",\"isPartOf\":{\"@id\":\"https:\/\/www.outworx.com\/blog\/#website\"},\"datePublished\":\"2014-08-23T01:51:03+00:00\",\"dateModified\":\"2017-01-20T07:52:22+00:00\",\"author\":{\"@id\":\"https:\/\/www.outworx.com\/blog\/#\/schema\/person\/4a222258173fdc00e104b30c5fc10632\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.outworx.com\/blog\/seven-lessons-learned-from-pci\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.outworx.com\/blog\/seven-lessons-learned-from-pci\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.outworx.com\/blog\/seven-lessons-learned-from-pci\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.outworx.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Seven Lessons Learned from PCI\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.outworx.com\/blog\/#\/schema\/person\/4a222258173fdc00e104b30c5fc10632\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.outworx.com\/blog\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/91f39a5ea2f90d0d957945f581465a21?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/91f39a5ea2f90d0d957945f581465a21?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"description\":\"Outworx@Admin\",\"url\":\"https:\/\/www.outworx.com\/blog\/author\/admin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Seven Lessons Learned from PCI | OutworX","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.outworx.com\/blog\/seven-lessons-learned-from-pci\/","og_locale":"en_US","og_type":"article","og_title":"Seven Lessons Learned from PCI | OutworX","og_description":"OutworX became a PCI-capable development organisation quite some time ago.\u00a0 Those who have trod the road to PCI compliance know that it is not an easy task.\u00a0 Here are some reflections on lessons we learned along the way, these will help you: 1. Read the PCI Specs Yourself You’ll often see the PCI DSS (Data … Continue reading \"Seven Lessons Learned from PCI\"","og_url":"https:\/\/www.outworx.com\/blog\/seven-lessons-learned-from-pci\/","og_site_name":"OutworX","article_published_time":"2014-08-23T01:51:03+00:00","article_modified_time":"2017-01-20T07:52:22+00:00","twitter_misc":{"Written by":"admin","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/www.outworx.com\/blog\/#website","url":"https:\/\/www.outworx.com\/blog\/","name":"OutworX","description":"Blogs, News and Updates of IT Industry | OutworX","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.outworx.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.outworx.com\/blog\/seven-lessons-learned-from-pci\/#webpage","url":"https:\/\/www.outworx.com\/blog\/seven-lessons-learned-from-pci\/","name":"Seven Lessons Learned from PCI | OutworX","isPartOf":{"@id":"https:\/\/www.outworx.com\/blog\/#website"},"datePublished":"2014-08-23T01:51:03+00:00","dateModified":"2017-01-20T07:52:22+00:00","author":{"@id":"https:\/\/www.outworx.com\/blog\/#\/schema\/person\/4a222258173fdc00e104b30c5fc10632"},"breadcrumb":{"@id":"https:\/\/www.outworx.com\/blog\/seven-lessons-learned-from-pci\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.outworx.com\/blog\/seven-lessons-learned-from-pci\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.outworx.com\/blog\/seven-lessons-learned-from-pci\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.outworx.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Seven Lessons Learned from PCI"}]},{"@type":"Person","@id":"https:\/\/www.outworx.com\/blog\/#\/schema\/person\/4a222258173fdc00e104b30c5fc10632","name":"admin","image":{"@type":"ImageObject","@id":"https:\/\/www.outworx.com\/blog\/#personlogo","inLanguage":"en-US","url":"https:\/\/secure.gravatar.com\/avatar\/91f39a5ea2f90d0d957945f581465a21?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/91f39a5ea2f90d0d957945f581465a21?s=96&d=mm&r=g","caption":"admin"},"description":"Outworx@Admin","url":"https:\/\/www.outworx.com\/blog\/author\/admin\/"}]}},"_links":{"self":[{"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/posts\/172"}],"collection":[{"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/comments?post=172"}],"version-history":[{"count":10,"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/posts\/172\/revisions"}],"predecessor-version":[{"id":899,"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/posts\/172\/revisions\/899"}],"wp:attachment":[{"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/media?parent=172"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/categories?post=172"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/tags?post=172"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}