If you haven’t guessed it by now, achieving and maintaining Payment Card Industry Data Security Standard (PCI-DSS) Compliance can be both hard and expensive. For most small to medium sized organizations, it doesn’t have to be as long if you have the right plan and tools in place. In this post I hope to impart a bit of wisdom gained through my time spent helping organizations achieve PCI-DSS Compliance. A PCI-DSS checklist of steps will be useful in this effort.
We are going to look at things a bit differently in this post because we will not be looking at each requirement within the PCI-DSS. I assume that by reading this you are already aware of the requirements. If not, you can head over to the PCI Standards Council website for a breakdown of all the requirements. Additionally, I will be focusing on those small to medium organizations that are required to comply with all components of the PCI-DSS and not just portions of it.
PCI DSS Compliance Checklist
If you are still reading this, then congratulations, you have made it to the best part. The recipe is very simple and boils down to five steps.
- Determine Your True Business Requirements
- Inventory Locations and Assets
- Segment the Environment
- Operationalize Controls
- Automate Controls and Control Reporting
Determine Your True Business Requirements
So, what do I mean by "Determine Your True Business Requirements”? Well, I often find that most organizations don’t necessarily need to directly process credit cards. I’m not saying don’t take them, but offload some of the risk to a third party. Understand that there is still risk and that you need to ensure that the third-party is PCI Compliant, but why incur the cost of implementing and maintaining all the controls if you don’t need to.
I’ve heard all sorts of reasons why the data is needed and most of the time it revolves around customer convenience or user experience. While I understand this may be a valid reason, the organization should do a thorough cost/benefit analysis on both short-term control implementation and long-term control maintenance to gain a better understanding of the true impact of going down this path.
It’s important to keep in mind that PCI-DSS Compliance is not a one-time event, but an ongoing process and, ultimately, a change to the way you do business. There will be long-term impacts including investments in training, personnel, and technology. Notice that I said technology last. Understand that PCI-DSS is more about process than technology. You can certainly use technology to automate controls and processes, but most impacts occur in the area of internal resourcing.
Inventory Locations and Assets
If you have determined that you truly have a business need to process credit card data , step 2 on your checklist for PCI-DSS compliance relates to assets., The next step should be to inventory all credit card locations and assets. This seems simple enough, but this is where I see many organizations struggle. Computers and computer networks are complex along with the politics in many organizations. Unless there are strong governance practices in place it can be easy to lose track of assets in a world of agile methodologies and the constant push for new product features.
You should be prepared to answer these fundamental questions about the PCI processing environment:
- What business processes use credit card data?
- Where is the cardholder data (CHD) stored?
- How is the cardholder data (CHD) accessed?
- What are the ports and protocols used when transmitting cardholder data (CHD)?
- What technology assets are involved in the data flow?
- Am I sure?
The last question is an interesting one. When performing GAP assessments, more often then not, we find cardholder data flows that the customer was unaware of. PCI-DSS is not just your best effort. If you have a breach, then you may be on the hook for all those fraudulent transactions, as well as fines.
Make sure you validate your asset inventory by sampling the systems, networks, and data stores to determine if there is cardholder data outside your defined cardholder data flows and environments. Remember this is a process. You should expect to update inventories of flows and systems on an ongoing basis depending on business and technology changes.
Segment the Environment
Now that you have located everything, it’s time to segment the technologies and, in some cases, the business processes that store, process, or transmit cardholder data. Even though the PCI-DSS does not require segmentation, it is a critical step in reducing short and long-term costs.
This is another area where I see organizations fail when it comes to PCI-DSS Compliance. They try and implement PCI-DSS controls across the entire organization, not realizing the impacts to other business units that don’t handle cardholder data. Also, organizations might believe they have segmented the PCI environment, only to find systems outside the segmented environment that process or store cardholder data.
To ensure that this doesn’t happen to your organization, make sure that you segment your processing environment and implement inventory processes described above to validate whether cardholder data is flowing into environments that it shouldn’t. Lastly, implement strong governance (e.g. change management) practices to ensure systems are located in correct network zones prior to being moved into production.
Once controls are in a PCI-DSS Compliant state, the checklist changes to maintaining that compliant state. While controls may have once existed, activities may have diminished due to employee turnover, employee promotion, or changing priorities. In fact, the PCI Standards Council saw this as a weakness and made changes in PCI-DSS 3.0 that enforces the concept of operationalizing security controls within business-as-usual activities by requiring much more rigor around operational security procedures.
This is, again, a common theme that many QSAs see when assessing organizations both big and small. The intent to be PCI Compliant is there, but the willingness or ability to keep up with ongoing processes wanes without proper organizational governance and support. This may be one of the most challenging steps that your organization will face as it may involve significant organizational change.
Here are some questions that may help you determine whether your PCI-DSS control framework is operationalized for long-term success.
- Is there support and awareness from your senior leadership team or board?
- Is leadership fully aware of the contractual responsibility for securing cardholder data?
- Are control owners assigned to each PCI control and do control owners understand their role in ensuring that the controls operate effectively?
- Do written procedures exist for managing all control processes outlined within PCI-DSS?
- Do automated tools exist to help you operationalize ongoing security procedures (i.e. SIEM, Vulnerability Management, File Integrity Monitoring, etc.)?
- Do automated tools exist to monitor the effectiveness of control activities?
Automate Controls and Control Monitoring
The final step that I would like to discuss is actually a continuation of the concept of Operationalizing Controls. In order to ensure PCI Compliance in the long-term you must automate control activities. The primary reason for this is that no matter how hard we try humans are fallible. By removing the human element we can ensure proper control execution as well as reduce the overall cost related to performing the controls.
Here is a quick list of processes that can be quickly automated given the right set of tools and/or capabilities.
- Asset Discovery and Management
- Logging and Security Event Monitoring
- File Integrity Monitoring
- Incident Response Tracking
- Vulnerability Identification and Management
- Default Password Checks
- Firewall Rule Reviews
- Wireless Rogue Detection
- Access Provisioning and De-provisioning
Another critical element that can be automated is control effectiveness monitoring. This can provide management with the key performance indicators they need to validate PCI Compliance. There are many tools that can be used to help with the effort.
Security Information and Event Management (SIEM) and Vulnerability Scan tools can often be used to generate reports on vulnerability remediation activities, incident response activities, secure hardening compliance activities, data flows, traffic flows, and access management activities. The important thing to remember here is that with a little out of the box thinking, tools could be configured to demonstrate operational activities. These types of reports can also prove useful during PCI audits with your QSA.
Well that’s it! Five steps in a checklist that I hope will help you on your quest to maintain or achieve PCI-DSS compliance. Good Luck!
- View the recorded webinar from Terra Verde and AlienVault, "PCI-DSS Reporting Requirements for People Who Hate PCI- DSS Reporting"
- Learn more about the offerings of AlienVault partner, Terra Verde.
- Learn more about how AlienVault technology can help you with PCI compliance
- Check out a guest blog on compliance and security in business
- Read this educational blog on logs you need to collect for your SIEM to assist with PCI compliance