A good example of this is a business that has multiple locations containing numerous Point of Sale (POS) systems that send the results of its daily transactions back to a server across dedicated private network connections. The DSS requires implementation of intrusion detection systems (IDS) and firewalls to protect cardholder data being stored, processed or transmitted. Effective solutions around this include routing and VLAN configurations that restrict access between the retail store PCI networks. In this scenario there would be no network access allowed between the retail location networks. In addition, PCI systems would be deployed on dedicated VLANs within the retail locations and logically separated via router-based access control lists from non-PCI networks. Firewall-based segmentation and IDS could then be implemented at that single communication aggregation point into the corporate network infrastructure. In this scenario, PCI-based event logging requirements would still apply for all PCI systems at their corporate and retail locations; the costs of implementing the required segmentation, however, would be significantly less.

Remediation Project Plan

A PCI remediation project plan is needed following a PCI gap or self-assessment. The findings and recommendations can be numerous and overwhelming; it's important to review and thoroughly understand the implications of the gap assessment results.

Once potential solutions have been identified and agreed upon, the tasks are populated into a Microsoft Project or other appropriate electronic document. The tasks should then be prioritized based on business and organizational objectives; personnel can be assigned various tasks based on subject matter expertise and scheduling availabilities.

Project Status Meetings

To keep the remediation effort on track, it's extremely beneficial to have regular project status meetings. The frequency of the meetings is dependent on numerous factors such as compliance deadlines, availability of personnel and resources, change control and maintenance requirements, etc. The PM should schedule and be the moderator of the project status meetings.

Personal productivity can also be impacted by attending unnecessary meetings. Keep the PCI remediation project status meetings on track and conduct the technical discussions on a very high level by reviewing whether a given task has been completed, briefly discussing any possible roadblocks and recording updates to task status with respect to individual efforts.

When detailed discussions become necessary, it's often valuable to assign a three minute to five minute time limit. If the issues cannot be resolved within that time frame, take those discussions offline to be resolved.

When each meeting is completed, the PM should update the project plan based on detailed notes, task assignments and updated requirements. The project plan should then be disseminated to all those participating in the remediation effort.