The Payment Card Industry Data Security Standard (PCI DSS) was created and is managed by the PCI Security Standards Council (PCI SSC) to develop a set of requirements that protect organizations, banks, payment card brands and consumers from credit card fraud. The intention is that by following the mostly common-sense requirements of the Standard (and other Payment Standards managed by the SSC), organizations will secure and protect their payment environments from data breaches and theft that lead to payment fraud. Even without a data breach, those found non-compliant can face fines between $5,000 and $500,000 a month. Given that potential (not to mention any damage your brand may experience in the event of a breach), PCI DSS compliance should not be taken lightly. In fact, we put together a comprehensive checklist for PCI DSS compliance to help organizations meet their obligations.
Because the PCI DSS applies to everyone and everything that touches the payment card process and applies to every business regardless of size, there are a number of different methods created to prove compliance. The three steps of the process, as defined by the Council are: Assess, Remediate and Report. For the vast majority of businesses, the process is relatively simple:
- Organizations interpret their Merchant Level from published resources. Merchant Levels are primarily determined by the volume of charges processed each and every year. This means that high-growth organizations may find themselves in a different Merchant Level if they exceed the previous year’s payment transaction volume. Therefore, it is critical to become familiar with the merchant Levels.
- Each Merchant Level has a corresponding method for documenting compliance. Most businesses will find this involves taking a PCI DSS Self-Assessment Questionnaire (SAQ) that corresponds to their Merchant Level. They must also correct any processes or systems not found to meet the requirements outlined in the questions of the SAQ.
- Once the SAQ is completed, the business will fill out a formal attestation of compliance (AOC) and share it with the bank or vendor that processes their payments.
Some businesses (those who conduct transactions over the web, for example) may also be required to conduct vulnerability scans of their website and online shopping cart. For the largest organizations, or those processing the largest volumes of payment transactions, there will also be a requirement to “prove” their compliance beyond the self-reporting of the SAQ. These organizations must have an assessment conducted by an independent specialist known as a Qualified Security Assessor (QSA).
What Is the Role of a Qualified Security Assessor (QSA)?
QSAs are registered and tested by the PCI SSC on their ability to help organizations assess their operations against the PCI DSS and other requirements. They also help these organizations bridge any gaps in their compliance programs to ensure that the spirit of each and every requirement and sub-requirement of the PCI DSS is met or exceeded by every process and system that touches a payment card transaction.
In an assessment, a QSA will:
- Examine all payment systems and systems touching payment systems within your organization
- Identify any vulnerabilities or areas not currently meeting the minimum requirements of the Standards
- Work with your team to identify “compensating controls” or other measures that should be taken to meet the requirements.
What to Do Before a PCI Assessment
While the majority of these steps are common sense best practices, the steps your organization takes prior to an assessment by a QSA can significantly reduce the time, money and scope that the assessor must review during their visit.
1. Know Where Payment Card Data Lives
The first step in securing anything valuable is to know exactly where you keep it. With payment card data, that means understanding every segment, facet and nook & cranny that touches the payment process – or is adjacent or networked to that process. A comprehensive network diagraming exercise is beneficial to understand not only where your payment data resides, but also to identify where it probably isn’t necessary for it to reside or shouldn’t reside at all. Portions of the business like the call or contact center are repositories for vast amounts of sensitive customer information, and should be examined with extra attention. Removing unnecessary networks from the payment process is what is commonly understood when someone speaks about network segmentation and/or de-scoping a payment environment. Understanding where data needs to remain “in play” – while reducing the systems and protocols that touch the payment processes to only those you need to properly process payments – minimizes your overall payment security risk to just those areas and reduces the total scope the QSA will assess later.
2. Examine Your Infrastructure for Vulnerabilities and Overall Risk
By reducing the payment card environment (the people, places and things, or systems involved in processing payment card transactions) to only what is necessary for your operations, you can then honestly conduct a risk assessment on the card data environment first, and broader organizational risks, second.
In conducting an honest risk assessment, it helps to think like an attacker (new requirements for service providers demand they conduct regular penetration testing on their networks.) Payment card data is an important source of revenue for cybercriminals and is often the target in malicious attacks. In fact, the most recent Global Security Report from Trustwave indicates that 40 percent of breaches targeted payment card data. The report also details many major vulnerabilities, web threats and POS attacks, as well as attacks by industry in the last year (it’s definitely worth a read as you put your hacker hat on to prepare an imagined assault on your own sensitive data). So, if you were attempting to breach your organization, how would you do it? Use your imagined route of penetration as a guide to help you understand your primary areas of risk.
Document Your Organization’s Security Policies and Procedures
Next, in preparation for your assessment, you will want to document your organization’s policies and procedures that form the basis of your security program. Critical elements include how your organization rolls out software patches (patch management) and how you plan to continue adherence to the PCI DSS after assessment. As the Council is fond of saying, “You are only one change control away from non-compliance.” Planning in advance can help you maintain ongoing compliance.
Those plans should include educating your organization’s workforce on the PCI Standards, the policies and solutions you have in place within your compliance program, and their roles in maintaining compliance.
After steps 1-3 are conducted, you should have comprehensive knowledge (or at least strong intuition) about your organization’s readiness for an assessment, or any current gaps in your compliance program that you can either address yourself, or work with your QSA to solve.
Work WITH Your QSA
When it is time for the actual assessment, share everything you have collected and documented with the QSA. Even if you are currently compliant, share any concerns you may have about existing measures’ long-term effectiveness. You will still receive your Report of Compliance (ROC) now but discussing areas of difficulty with your QSA may help the two of you create new compensating controls that may prove more effective in the long run. Keep abreast of changes and updates to the Standards and discuss upcoming requirement changes in advance with your partnering QSA. Last minute scrambling to meet requirements has, in the past, resulted in business or process interruption. Advanced planning may help ensure future business continuity and preserve the operational status quo of your organization.
Your QSA can also help you bulk up your current policies and procedures to create a beneficial program that ensures ongoing compliance maintenance and adherence to the Standards.
Understand that an assessment will help your ongoing compliance program immensely. While preparing for and anticipating what will occur in a PCI assessment is a lot of work, it is far less work than a breach of payment data will require, and an overall improvement in security is just one of the many benefits of PCI DSS compliance.