The Payment Card Industry Data Security Standard, or PCI DSS, provides a well-defined list of security requirements, but many organizations are left with more questions than answers when it comes to determining how best to address each requirement in a manner that will be considered acceptable for PCI compliance.
When approaching PCI compliance, much of the effort can often be handled in-house, but it’s also important to know when to ask for help. Misinterpretation of PCI requirements may lead to costly mistakes. To address the need for expert guidance, the PCI Security Standards Council maintains a program for training Qualified Security Assessors (QSA’s).
A QSA is not intended to be merely an auditor, but is also meant to act as an advisor to organizations working to achieve PCI compliance. QSA’s are trained to provide clarification of the underlying intent of the PCI requirements and to assist organizations in identifying reasonable means of satisfying PCI obligations.
The following step-by-step approach for becoming PCI compliant will help your organization avoid many of the pitfalls commonly associated with the process:
1. Educate Yourself
Read the PCI DSS, preferably several times. Make sure you understand each requirement and try to see the underlying intent of each. Make a list of all the questions you have. Read PCI-related forums and blogs to see how other companies are addressing PCI compliance issues. It’s often helpful to engage a PCI QSA (PCI Qualified Security Assessor) at this point to provide direction and answers to questions that will inevitably arise during the process of becoming PCI-compliant.
2. Determine Your PCI Classification
Work with your acquiring bank to determine which merchant or service provider classification level applies to your organization for compliance validation purposes. Each acquiring bank is responsible for ensuring the compliance of all of its merchants, so the bank has the authority to determine your company’s PCI classification level.
3. Perform Data Discovery
Find out where cardholder data currently exist in your environment. Identify all payment acceptance channels, map the flow of cardholder data across the network, and identify all places where those data are stored. It is helpful to create a “network topology diagram” that shows network segments where key systems reside – then map the cardholder data flow onto this diagram for a visual representation of where credit card data are transmitted, processed or stored in your network. Sensitive Data Scanning can greatly assist in this area.
4. Whenever Possible, Eliminate Cardholder Data Instead of Securing It
Securely dispose of any cardholder data that’s not required. This may help to reduce the scope for PCI compliance and will likely reduce the costs associated with becoming compliant. Some companies will still need to retain credit card data but should make sure it’s stored in a centralized, tightly controlled manner.
5. Define the Scope for PCI Compliance
Now that you know where the cardholder data exist, who has access to the data, and how the network is segmented, the scope for PCI compliance can be determined. The entire enterprise (in terms of network and staff) may not necessarily need to be included within the scope of PCI compliance – and proper scoping is essential to controlling costs for PCI compliance! The PCI DSS applies to all systems that store, process or transmit cardholder data, as well as any systems connected to those (in other words, other systems on the same network segment, not separated by a firewall). Systems involved in managing the security of other in-scope systems are considered in-scope as well.
6. Perform a Gap Assessment
Perform a gap assessment based upon the established PCI scope. Determine whether each requirement is satisfied for all in-scope systems. The PCI DSS Requirements and Assessment Procedures document (see link to PCI Council’s web site below to download) provides additional details regarding how to validate the presence of each required control.
7. Implement Changes to Address Non-Compliant Findings
Build a remediation plan to address non-compliant findings. Implement required controls, write policies, update legal contracts, etc. This step can often turn into an extensive process, depending on the present state of information security and governance in your organization. PCI requirements include technical, physical and administrative controls, so organizations without a well-developed InfoSec program will find there’s a lot to be built in order to address PCI requirements.
8. Perform Quarterly Vulnerability Scanning and Annual Penetration Testing
Find an Authorized Scan Vendor to scan all Internet-accessible systems on a quarterly basis. Remediate any non-compliant findings and rescan until a fully compliant scan report is obtained. Organizations also must perform penetration testing (network and application layers) at least annually or when significant changes are made to the environment.
9. Provide Validation of PCI Compliance
Have an on-site audit performed, or complete the self-assessment questionnaire. Submit the Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ), along with the quarterly scan results, to your acquiring bank (for merchants) or to the card brands (for service providers).
10. Stay Compliant through Ongoing Security Maintenance
Maintain security controls according to guidelines outlined in the PCI DSS to ensure ongoing compliance. There is “safe harbor” protection for organizations that can demonstrate they were in full compliance with the PCI DSS at the time of a breach. This is why it’s important not only to become compliant, but also to stay compliant.
Jeremy Simon, PCI QSA, CISSP, CISA
Practice Lead, PCI Compliance Services
The following are additional reference materials that are available online and may be useful:
• www.pcisecuritystandards.org – This is the official PCI Security Standards Council website, where you can find all of the official documents related to PCI.
• Visa Cardholder Information Security Program (CISP) overview:http://usa.visa.com/download/merchants/cisp_overview.pdf
• List of Qualified Security Assessors: https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf
• List of Authorized Scanning Vendors: https://www.pcisecuritystandards.org/pdfs/asv_report.html