PCI DSS/ Security Compliance
How to prepare for a PCI DSS compliance audit
PCI DSS compliance is mandatory for any business or service provider that processes card payments and stores or transmits credit, debit or pre-paid card information. The process of achieving PCI DSS compliance can be daunting as it is quite comprehensive and covers many areas within a business, from technical security and related processes to staff training and awareness, to call centre operations and data storage, to name but a few. Achieving and maintaining PCI security compliance can be costly and complicated.
However, on the positive side, the standards are mature, and the process is well defined with precise requirements and compliance criteria.
The PCI DSS council provides many useful supplements to aid in preparation for a PCI DSS security audit (please note this is to be done annually). An excellent place to start is the PCI quick reference guide. The reference guide covers process requirements, checklists and self-assessment questionnaires, among other useful information.
One way to start your preparation is by understanding the end goal. That is the certification report and retracing it back to the PCI DSS requirements. The template for the report is available to download here and has this table as part of an on-site assessment (please note larger Level 1 merchants that process over six million Visa cards per annum require assessment by a QSA, while smaller merchants can do self-assessments).
Picture: Sample Assessment Report
The reference to Full, Partial and None are defined as follows:
- Full – The requirement and all sub-requirements of that requirement were assessed, and no sub-requirements were marked as “Not Applicable” in the Supplemental Report on Compliance (S-ROC) for Designated Entities.
- Partial – One or more sub-requirements of that requirement were marked as “Not Applicable” in the S-ROC for Designated Entities.
- None – All sub-requirements of that requirement were marked as “Not Applicable” in the S-ROC for Designated Entities.
For all requirements identified as either “Partial” or “None,” provide details in the “Justification for Approach” column, including:
- Details of specific sub-requirements that were marked as “Not Applicable” in the S-ROC for Designated Entities
- The reason why sub-requirement(s) were not applicable.
With the above in mind, the preparatory checklist can be best summarised as:
- Make sure you address all the requirements
- Define the scope
- Create an internal PCI team
- Get your documentation in order
- Conduct an internal assessment and gap analyses
IPSI recommends that companies leverage best of breed payment gateway services in conjunction with cloud-based tokenisation to reduce your companies PCI DSS compliance scope (initial and ongoing scope), cost, complexity and lead times.
Make Sure You Address All the Requirements
As you can see from the sample assessment, there is a direct correlation between the report and the PCI DSS requirements. The twelve PCI DSS requirements are:
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
- Requirement 3: Protect stored cardholder data
- Requirement 4: Encrypt transmission of cardholder data across open, public networks
- Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
- Requirement 6: Develop and maintain secure systems and applications
- Requirement 7: Restrict access to cardholder data by business need to know
- Requirement 8: Identify and authenticate access to system components
- Requirement 9: Restrict physical access to cardholder data
- Requirement 10: Track and monitor all access to network resources and cardholder data
- Requirement 11: Regularly test security systems and processes.
- Requirement 12: Maintain a policy that addresses information security for all personnel.
Underneath these requirements, there are more than two hundred sub-sets of requirements. The requirements cater to a diverse range of scenarios, and many do not apply to every organisation.
The first step is to define the scope of the PCI assessment. It is imperative as not defining the proper scope may disqualify the organisation, product or both. One way, especially for larger organisations to define the scope of the problem is to use a scanning tool such as IPSI’s recon tool to actively scan your environments to identify any unsecured credit card data stores across your organisation.
Define the Scope
The scope should cover people, process, technology and products being used.
As per PCI quick reference guide, scoping must occur at least annually before the assessment. Merchants and other entities must identify all locations and flows of cardholder data to ensure all relevant system components are included in scope for PCI DSS. Entities should confirm the accuracy and appropriateness of PCI DSS scope by performing these steps:
- The assessed entity identifies and documents the existence of all cardholder data in their environment, to verify that no cardholder data exists outside of the currently defined cardholder data environment (CDE).
- Once all locations of cardholder data are identified and documented, the entity uses the results to verify that PCI DSS scope is appropriate (for example, the results may be a diagram or an inventory of cardholder data locations).
- The entity considers any cardholder data found to be in the scope of the PCI DSS assessment and part of the CDE unless such data is deleted or migrated/consolidated into the currently defined CDE.
- The entity retains documentation that shows how PCI DSS scope was confirmed and the results, for assessor review and reference during the next annual PCI SCC scope confirmation activity.
- As noted previously IPSI believes that the best approach is for business to significantly reduce or eliminate their CDE via the use of Level 1 PCI DSS certified cloud-based service providers as this will reduce costs and potentially open up access to more advanced e-commerce capabilities. Companies should be mindful to ensure data is stored within Australia, especially APRA regulated entities.
If you can, it is better to reduce the scope of the PCI by clearly identifying areas of the organisation which handles the cardholder data. These areas could include networks, cloud systems, third-party vendors and people.
Create an Internal PCI team
It can be difficult for organisations to prioritise PCI DSS compliance over other business objectives, as its not revenue generating, IPSI notes that companies should, however, note the revenue loss implications associated with data breaches. Therefore it is essential to get internal buy-in from senior management for compliance schedules, budgets and timelines of certification. If possible, designate a champion in each team to assist with communication and to ensure each team follows the policies and procedures.
Get Your Documentation in Order
PCI DSS assessments often involve verification of document procedures, policies, and records that show a consistent implementation of policies. It is essential to make sure all your documentation is updated and consistent with day to day practices. Communication about the purpose of these documents and where to access them should be well known to all the stakeholders of the organisation.
The documentation process also addresses the requirement #12 directly. Apart from requirement 12 which covers the security policies for personnel, the documentation should also cover, access control procedures, incidence management, encryption protocols, masking protocols, key management processes, and the procedures for protecting stored card data (data at rest) and safeguarding communication.
Conduct a ‘Mock’ Internal Assessment and Gap Analysis
Undertaking a ‘mock’ assessment can help identify any issues before a formal audit. A good strategy is to designate an internal ‘assessor’ for this activity and should include gap analyses and potential mitigation strategies. The PCI site provides a self-assessment questionnaire that can be used to conduct this internal assessment.
How can IPSI help?
IPSI can ease your PCI DSS compliance burden by providing payment gateway solutions that are already Level 1 PCI DSS compliant. Our contact centre payment solution, AgentSecure de-scopes your call centre from PCI DSS compliance by removing any contact between agents and systems with cardholder data.
IPSI has managed some of Australia’s largest PCI DSS remediation projects with services including Level 1 PCI DSS compliant data storage, hosted IVR solutions, tokenisation, call centre solutions, multi-bank payment processing and data discovery.
For more information, contact us at firstname.lastname@example.org or phone 1300 975 630.