Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is demonstrated by an audit of the cardholder data environment (CDE). The type of audit depends on the compliance requirements of the payment brand and the level of the merchant/service provider as defined by that brand.
Level 1 merchants must have an external audit performed by a Qualified Security Assessor (QSA) and submit a Report on Compliance (RoC) – also commonly known as a Level 1 on-site assessment – to their acquiring banks to prove their compliance. Merchants at other levels can self-audit and submit a self-assessment questionnaire (SAQ).
Preparing for the PCI audit can be challenging, especially if your organisation has a complex data environment. Follow the suggestions below to maximise your chances of meeting your compliance requirements.
Think carefully about your PCI DSS audit goal
PCI DSS compliance is not about passing an annual audit and ensuring all the right boxes are ticked on that day. Instead, compliance is determined by whether cardholder data is kept secure by meeting all of the requirements, all of the time. This is why there is no official certificate of PCI DSS compliance, as compliance is not judged by a ‘moment in time’. The continual operational goal must always be considered when you are developing processes and controls to satisfy PCI DSS requirements.
Preventing cardholder data breaches is the ultimate goal of the PCI DSS and should be the main goal of your PCI DSS programme. If your organisation’s goal is to ‘pass’ an annual PCI DSS assessment and receive a certificate, then you misunderstand the intent of the Standard and will ultimately fail PCI DSS compliance.
Choose a reputable PCI QSA for RoC audits
PCI compliance can be only validated by a QSA. These are individuals employed by a QSA company, qualified by the PCI Security Standards Council (PCI SSC) to validate an organisation’s adherence to the PCI DSS.
Get trained on the PCI DSS so that you can make an informed decision when selecting your QSA. While the PCI SSC has worked to even out the quality of its auditors, there are plenty of inexperienced auditors out there who have made some very expensive decisions on behalf of organisations that have to comply with the Standard.
Look for QSAs who offer consistent advice and interpretation of the rules, and that can back up any claims of having completed audits with written references. A good auditor will be able to provide a number of satisfied customers that would be willing to take your call to discuss their past performance.
Preparation is key
Make sure all procedures, documentation and requirements are in place before the auditor comes to your organisation to demonstrate that you are prepared for the audit.
“Give me six hours to chop down a tree and I will spend the first four sharpening the axe.” Abraham Lincoln
Not having specific information at hand or the right executive available for an interview won’t fail you outright, but it’s guaranteed to lengthen the validation process.
Find out where your data resides (and hides)
It’s a significant challenge for companies to know where data is and the perimeter of the CDE within the network. You can make it easier for yourself by creating a data flow diagram to help identify all locations and flows of data.
Many organisations store cardholder data unnecessarily because they have failed to implement proper data retention and disposal policies, storing card data simply because it is something that they have always done. It’s important to develop processes and procedures that regularly purge systems to remove information that is no longer required.
Segment networks and maintain an accurate network diagram
While network segmentation isn’t required by the PCI DSS, it’s a recommended strategy to reduce your PCI scope and secure your data. By isolating less-secure networks from high-secure networks, businesses can ensure that a compromise in the less-secure network does not affect the security of other high-security networks.
Organisations also frequently need to better define where regulated data resides in their network. They will often present diagrams that represent a PCI-compliant network, but actual network configurations usually reflect otherwise. If a QSA finds cardholder data elsewhere – and especially on other unsecure segments – that can turn into a major issue.
Conduct a gap analysis
Organisations will often bring in a QSA prematurely, without having prepared sufficiently to ensure that they are aligned well enough with the Standard. Don’t assume that just because you were compliant for a particular control last year, you’re automatically compliant this year.
On-site audits can be cut short simply because the client is not ready and the exercise, if continued, would only culminate in a revisit by the QSA in six months’ time to re-evaluate compliance.
A smarter and more cost-effective approach is to have a QSA conduct a gap analysis as a starting point to establish what the business is currently doing against the actual requirements of the PCI DSS.
Documentation, monitoring and audit logs
It is crucial to ensure that your documentation is complete because it provides evidence of compliance. The auditor will review your processes, log files, policies, procedures and network flow diagrams.
Even the most secure company will fail a compliance audit if it cannot prove that its security policy adequately fulfils each of the Standard’s 12 requirements.
A successful audit depends on being able to demonstrate that log files are well-managed, having documented policies, procedures and supporting processes in place, and that network flow diagrams are readily available as proof.
Conduct regular testing
PCI DSS requires an annual risk assessment that identifies critical threats and vulnerabilities. To meet this requirement, it is best to conduct an internal examination of your systems, processes and procedures, as well as a full risk assessment to determine system vulnerabilities prior to an audit.
The results of security testing can be used to provide evidence of compliance and to identify areas of your network that might not be secure. Auditors look for regular and frequent testing, especially after any changes to the CDE.
Penetration testing is especially important in confirming whether your approach to segmenting your network is truly effective in isolating your CDE from other networks. Large breaches typically originate with a simple intrusion into an insecure area of the victim’s network with a subsequent lateral move into the CDE.
Attesting your service provider’s compliance status
Many service providers have developed services that specifically address PCI DSS compliance. They may provide PCI DSS-compliant hosting space, or they may offer accounting software that supports compliance by enabling merchants to process transactions without storing cardholder data on their own computers.
As such, merchants are increasingly turning to service providers to fulfil PCI DSS requirements. However, even when data is stored with third-party providers, the responsibility for compliance rests with the merchant. The Standard requires you to clarify your roles and responsibilities with your service providers and third-party vendors. You need to explicitly map out who is responsible for addressing the specific requirements in areas where you use service providers. When you have purchased managed services, you must understand how you are working with your service provider to address the required security controls.
Merchants are advised to engage only service providers that have reported their PCI compliance to the card brands.
If you follow these tips, your PCI implementation project is likely to go as smoothly as planned. If you want to learn more about achieving and maintaining PCI DSS compliance, you should attend our webinar ‘PCI DSS: Audit success in nine essential steps’ You’ll find out:
- Essential areas to help prepare for a successful RoC audit.
- How to identify nonconformities before the audit takes place.
- How to choose the right QSA.
This webinar will take place on 17 January 2018, from 3:00-4:00 pm. If you can’t make it, the presentation will be available to download from our website.