PCI Compliance

If you haven’t guessed it by now, achieving and maintaining Payment Card Industry Data Security Standard (PCI DSS) compliance can be both hard and expensive. For most small to medium sized organizations, it doesn’t have to be as long you have the right plan and tools in place. In this paper you’ll learn ve steps that you can take to implement and maintain PCI DSS compliance at your organization.

The recipe for implementing and maintaining PCI DSS compliance includes the following five steps:

•    Determine Your True Business Requirements
•    Inventory Locations and Assets
•    Segment the Environment
•    Operationalize Controls
•    Automate Controls and Control Reporting

Step 1
Often, most organizations don’t directly process credit cards. Instead they o oad some of the risk to a third party. In this scenario you still need to ensure that the third- party is PCI compliant, but why incur the cost of implementing and maintaining all the controls if you don’t need to.
There are many reasons why data is needed in organizations and most of the time
it revolves around customer convenience or user experience. Although these are valid reasons, organizations should still do a thorough cost/bene t analysis on both short-term control implementation and long-term control maintenance to gain a better understanding of the true impact of going down this path.
It’s important to keep in mind that PCI DSS compliance is not a one-time event, but an ongoing process and, ultimately, a change to the way you do business. For instance, there will be long-term impacts including investments in training, personnel, and technology. Notice that technology is last here. PCI DSS is more about process than technology. You can certainly use technology to automate controls and processes, but most impacts occur in the area of internal resourcing.

Step 2
If you have determined that you truly have a business need to process credit card data, step 2 on your checklist should be to inventory all credit card locations and assets.
This seems simple enough, but it’s often where many organizations struggle. Computers and computer networks are complex along with the politics in many organizations.
Unless there are strong governance practices in place, it can be easy to lose track of assets in a world of agile methodologies and the constant push for new product features.
You should be prepared to answer these fundamental questions about the PCI processing environment:

•    What business processes use credit card data?
•    Where is the cardholder data (CHD) stored?
•    How is the cardholder data (CHD) accessed?
•    What are the ports and protocols used when transmitting cardholder data (CHD)?
•    What technology assets are involved in the data ow?
•    Am I sure?

When performing GAP assessments, more often then not, you will nd cardholder data ows that the customer was unaware of. PCI DSS is not just your best e ort. If you have a breach, you may be on the hook for all those fraudulent transactions, as well as nes.
Make sure you validate your asset inventory by sampling the systems, networks, and data stores to determine if there is cardholder data outside your de ned cardholder data ows and environments. Remember this is a process. You should expect to update inventories of ows and systems on an ongoing basis depending on business and technology changes.

Step 3
Now that you have located everything, it’s time to segment the technologies and,
in some cases, the business processes that store, process, or transmit cardholder data. Even though PCI DSS does not require segmentation, it is a critical step in reducing short and long-term costs.
Many organizations fail when they attempt to segment their environment for
PCI DSS compliance. This occurs when they attempt to implement PCI DSS controls across the entire organization, not realizing the impacts to other business units that don’t handle cardholder data. Also, organizations might believe they have correctly segmented the PCI environment, only to nd systems outside the segmented environment that process or
store cardholder data.
To ensure that this doesn’t happen at your organization, make sure that you segment
your processing environment and implement inventory processes described above to validate whether cardholder data is owing into environments that it shouldn’t. Lastly, implement strong governance (e.g. change management) practices to ensure systems are located in the correct network zones prior to being moved into production.

Step 4
Once controls are in a PCI DSS compliant state, the checklist changes to maintaining that compliant state. A plan should be put into place to address how PCI DSS controls will be a ected when employee turnover, employee promotion and changing priorities occur. In fact, the PCI Standards Council made changes in PCI DSS v3.0 that enforces the concept of operationalizing security controls within business-as-usual activities by requiring much more rigor around operational security procedures.

This is, again, a common theme that many QSAs see when assessing organizations both big and small. The intent to be PCI compliant is there, but the willingness or ability to keep up with ongoing processes wanes without proper organizational governance and support. This may be one of the most challenging steps that your organization will face as it may involve significant organizational change.

Step 5
The nal step is actually a continuation of the concept of operationalizing controls.
In order to ensure PCI compliance in the long-term, you must automate control activities. The primary reason for this is that no matter how hard we try, we humans are fallible.
By removing the human element we can ensure proper control execution as well as reduce the overall cost related to performing the controls.
Here is a list of processes that can be quickly automated, given the right set of tools and/or capabilities.

•    Asset Discovery and Management
•    Logging and Security Event Monitoring
•    File Integrity Monitoring
•    Incident Response Tracking
•    Vulnerability Identi cation & Management
•    Default Password Checks
•    Firewall Rule Reviews
•    Wireless Rogue Access Point Detection
•    Access Provisioning & De-provisioning