In a previous post, I discussed the so-called “Requirement 0” of PCI DSS 2.0; that is, responsibility for determining and documenting the scope for PCI DSS shifting from the Qualified Security Assessor (QSA) to the entity. Oftentimes this conversation comes up as part of a bigger discussion around the process of becoming and staying compliant while meeting business, financial, IT, and customer demands. Balancing these can be a daunting task.
Symantec Strategy and Advisory Services has developed a program model for PCI DSS compliance to assist with this. Using an ADTO framework – Assess, Design, Transform, and Operate – it breaks the process into four phases. This model is also a lifecycle as it acknowledges the need to feed data and lessons learned back into assessment, allowing for increasing maturity with decreasing cost over time. The model looks like this:
Let’s dive into the ADTO model and discuss how it can assist with PCI DSS compliance.