PCI scope reduction has been the biggest stumbling block for healthcare organizations so far. While PCI doesn’t require the use of network segmentation to reduce scope, it can be a very effective strategy to help ease the burden of compliance. However, implementing a segmentation strategy on a production network where it hasn’t previously been in place is very tricky. It requires lots of planning, testing, and coordination in order to minimize unplanned outages and downtime. However, healthcare entities should avoid allowing the daunting task of segmentation to inhibit their PCI compliance efforts. One way or another, card data should be protected.
Most organizations believe they’re more compliant than they actually are, and this includes compliance with the PCI requirements. Many jump the gun – working on compliance rather than evaluating risks and vulnerabilities first. Some of the best money an organization can spend is on a PCI gap assessment. In fact, these assessments often pay for themselves.
A PCI gap assessment walks clients through PCI controls to identify oversights or shortfalls in existing policies and practices. A plan is developed to address them, with priorities assigned based on guidance from the PCI Standards Council. Scoping is a big part of the gap assessment – paving the way for greater operational efficiencies and significantly increasing cost-savings and reducing overhead.
It would behoove every organization to conduct a risk assessment – even before the gap assessment – prior to implementing PCI compliance. A risk assessment serves as a blueprint from which everything else follows, including the gap assessment and PCI compliance – prioritizing issues from highest to lowest.
Organizations should work with a QSA to evaluate the status of their PCI compliance program. A QSA can help provide interpretive guidance related to the PCI requirements and can provide insights regarding how other similar entities have addressed certain challenges. Not utilizing a QSA when assessing PCI compliance posture often results in inaccurate assumptions regarding PCI requirements and scope, and can lead to time and effort being expended in the wrong areas. When gaps are identified, remediation should focus on addressing the key issues first. Ancillary issues should then be assessed and resolved. Doing so eases the path to more efficient PCI compliance. It also makes stakeholder buy-in easier for the organization. Unfortunately, many organizations undergo a risk assessment yet fail to follow through on an action plan to address identified risks.