The Payment Card Industry Data Security Standard (PCI DSS) is a comprehensive and exhaustive list of requirements mandated by the PCI Council for the safety and security of payment card data. This standard spans any entities that process, store, or transmit cardholder data as well as service providers that would otherwise affect the safety of that same data. This poses the question of how to achieve PCI compliance and when accomplished, remain dominant over the standard.
The Best Practices & Strategies
Fill Out Your Paperwork
All companies are different and with each company, you must find a common strategy for satisfying the requirements of PCI DSS. The foremost of which lies in dreaded policy and procedure, throughout my auditing career I have seen both small and large companies stumble, stall, and scrounge for documentation. This could include documents related to policies, such as those setting out antivirus requirements or protocols for building secure systems. The documentation could also cover procedures, detailing how systems, applications, or change management processes operate. This information is used to guide personnel who need to understand these systems and processes. Lack of appropriate documentation will lead to wasted time and stalled audits attempting to figure out how a system is supposed to be configured, how encryption and decryption are working, or the appropriate change management process being followed.
PCI DSS standard version 3.2.1 has 129 controls directly linking to written policy; version 4.0 has 97 controls directly linking to written policy. Written policies allow appropriate team leads, administrators, and supervisors to enforce appropriate cybersecurity hygiene and maintain a standard across the enterprise. Policies allow employees to understand their role in cybersecurity and common pitfalls associated with the use of technology through acceptable user agreements. Procedural documents are rarely observed, typically product owners, application developers, or system administrators do not document the appropriate steps taken to perform a task. The lack of documentation leads to lost time attempting to re-create chains of events or remember how configurations were implemented. Having clear and well-documented procedures not only helps new team members to quickly understand the processes but also prevents loss of institutional knowledge when existing personnel leave or retire.
Maintain a Risk Management Strategy
Risk management whether it be for PCI DSS or any other security framework standard should be a guide on where to allocate resources for your business. To explain further, risk management should provide the tools needed and tracking metrics to address security concerns with PCI DSS compliance. This is especially prevalent within the PCI DSS version 4.0 where targeted risk assessments are part of newly implemented requirements throughout the standard (Appendix E2). Risks should not only be managed by system administrators, but these should also include networking aspects, applications, third-party vendors, and even hardware/business processes.
Risk management specifically in the PCI DSS 3.2.1 standard was viewed as a standard line item for requirement 12.2; however, within the new 4.0 standard, the specific documentation and analysis of risks posed to your environment must be addressed and accepted by management. The appropriate denotation of these risks will not only grant a better security posture but assist in securing funding for long-term projects or the overall direction a company wishes to take.
Delegate Tasks to Different Groups and Communicate
Asking one individual to perform all PCI DSS requirement evidence gathering is a daunting task for the individual and often leads to burnout or the collection of incorrect data. Be sure to leverage your subject matter experts for the collection of data and in doing so collect the data that an auditor would need to see to satiate a requirement. The main point of contact for the audit may be a compliance group or team lead that does not have the best understanding of a system or configuration resulting in inaccurate evidence collection.
There are a multitude of asks for the standard which may appear without clear direction or purpose posed by the auditor. Speaking to the subject matter experts directly, the Auditor will not only have a better understanding of how the environment works but give the SME retrieving the evidence well-defined instructions on what is needed to be seen and what is required by the standard.
Make Recurring Tasks Accountable
PCI DSS has many recurring requirements that are to be performed while not undergoing inspection of the audit. These requirements include but are not limited to penetration testing, wireless access point detection, internal/external scans, and reviews of firewalls/personnel. Many of these tasks are overlooked as personnel changes, system re-configurations, or forgetfulness often occur.
Assigning individuals these tasks manually is a time-consuming and error-prone process resulting in missed scans, inappropriate timing, and gaps within your information security governance. The easiest way to combat this is twofold, first, assign the responsibility of the requirement to a group or individual. In that way, someone is responsible for achieving the goal or task set forth by the standard. The second part is to retain the task on a recurring schedule with reminders; This can be achieved with automatic ticketing systems, recurring meeting invitations/reminders, or even emails set to send in the future. Whichever way you decide to inform your employees that it is time for the next wireless access scan or firewall review, ensure that there is accountability and documentation for the tasks assigned.
Review the Scope of PCI DSS Regularly
One of the most challenging parts of being an auditor is communicating with clients who are unaware of the scope of their business practice and cannot give a clear definition of what is present within the production environment. Rest assured the initial salvo of questions, scoping documents, and diagram review are all so we as auditors know what kind of environment we are to assess. Often during mid to late audits, there are unknown business processes that cause scope creep and subsequently a mad dash to either make those systems compliant or remove them from the scope. The newest iteration of PCI DSS v4.0 addresses this with requirement 12.5 which states: PCI DSS scope is documented and validated.
The completion of this task is a culmination of management, operations, and information technology departments collaborating in an attempt to review what is currently deployed within the environment, what changes have occurred, and have a consensus on the current operating business methods that the company serves as well as the people, process, and technology that support those methods. A conglomeration of these groups at least annually will ensure that all processes are accounted for and presented to the auditor concisely, additionally, the company will benefit from a stronger security stance as all elements handling cardholder data will be defined and cared for throughout the year.
Beware of Snake Oil Salesmen
There are many products on the market today that claim to be a miracle that will allow all your compliance problems to vanish. Unfortunately, more often than not, those promises are fictitious and what a company is left with is a halfhearted deployment of tools that do not achieve compliance goals. You must attain tools that are understood by administrators and perform the appropriate tasks for your compliance objectives.
Training your system/network administrators in the tools that are provided is paramount for the maximum leverage of utility for that product. Interviewing and hiring the correct people that may leverage SIEM tools have a major impact on compliance findings in that new deployments or existing configurations are found to be in congruence with the standard. Ensure that you update your documentation and training regimen to include the use of these tools for new systems and network administrators to ensure you get the full use out of your purchased products.
Additionally, within the PCI DSS space, there are many products and solutions offered by vendors to reduce or eliminate scope from an environment. Some of the most important questions to ask are:
- Is this certified by PCI SSC?
- Does your company undergo a PCI DSS audit regularly?
- What is the product implementation guide and what requirements does this liberate me from?
- What kind of product support does this provide?
- How long is this solution viable?
Supposed End to End Encryption has been under fire for years on how the solution may cover some but not all of the requirements of PCI DSS and requires additional resources to validate that cardholder data is protected.
Conclusion
Adhering to best practices for PCI DSS compliance is essential for any organization that handles or supports the operations of payment card data. By implementing these practices, you can protect your customer’s sensitive information, maintain trust in your brand, and reduce the risk of data breaches and financial losses. Following the above tips will help you achieve and maintain PCI compliance for years to come. If you have any questions or need further assistance with PCI DSS compliance, please feel free to reach out to us. We are here to support you on your compliance journey.
