Preparing for a Payment Card Industry (PCI) compliance assessment is a major task for any size organization. However, companies that store, process, or transmit credit card transactions are required to comply with PCI's Data Security Standards (DSS). PCI DSS includes up to 13 requirements that specify the framework for a secure payment environment. The PCI requirements are prescriptive in nature and provide guidance for organizations to become secure.
As a QSA, BrightLine has performed hundreds of audits. From our experience, there are five steps to follow when preparing for a PCI DSS assessment.
1. Complete a Risk Assessment
The goal of PCI DSS is to reduce the risk of credit card breaches. That, however, is a broad statement intended to apply to any business model and security control set. In order for an organization to effectively manage its own risk, it must complete a detailed risk analysis on its own environment. The goal for the risk analysis is for the organization to determine the threats and vulnerabilities to services performed and assets. As part of a risk assessment the organization should define its critical assets including hardware, software, and sensitive information - and then determine risk levels for those components. This in turn allows the organization to determine a prioritization level for reducing risk. It is important to note that risks should be prioritized for systems that will be in-scope for PCI DSS and then other company systems and networks. The PCI Security Standards Council (SSC) and the PCI DSS requirements themselves provide a lot of guidance on scoping a PCI DSS environment but this may be an area where the organization would want to contract with a QSA firm to validate the scope.
2. Document Policies and Procedures
Once the risk assessment has been completed the organization should have a much clearer view of its security threats and risks and can begin determining the security posture of the organization. Policies and procedures form the foundation of any security program and comprise a large percentage of the PCI DSS requirements. Business leaders and department heads should be armed with the PCI DSS requirements and the results of the risk analysis to establish detailed security policies and procedures that address the requirements but are tailored to business processes and security controls within the organization.
3. Identify Compliance Gaps
Building upon the foundation of security policies, the committee of business leaders and department heads should now review the PCI DSS requirements in detail and discuss any potential compliance gaps and establish a remediation plan for closing those gaps. This is where it is important to have the full support of business leaders who can authorize necessary funds and manpower to implement any remediation activities. Once the remediation plan is completed, it may also be reassuring at this stage to once again contract with a QSA firm to conduct a gap analysis. A gap analysis can either help determine high level areas that would are not compliant or can include a review much like a full PCI DSS assessment with the big difference being that a missed requirement will not fail the audit. The QSA will review security policies for accuracy and completeness and help identify any additional compliance gaps that need remediation before a full-scale assessment. It is critical once the final control set is in place to perform internal vulnerability scans and contract with an ASV to perform quarterly external scans. This is also the time to schedule the required annual penetration testing. These are typically performed by third parties, but is not required to be performed by third parties, and can take some time to schedule, perform, and remediate (if necessary). The results of a PCI DSS assessment will be delayed until the penetration test is completed so now is the time to schedule it.
4. Conduct Training to Educate Employees
After remediation activities are completed and policies and procedures are implemented, the next step is training and educating employees. Technical employees should obtain any certifications or training classes necessary so that they can operate and monitor the security control set in place. If software development is performed at the organization, OWASP offers training materials for secure coding guidelines; incident responders can review NIST SP 800-61. Non-technical employees must be trained on general security awareness practices such as password protection, spotting phishing attacks, recognizing social engineering, etc. All the security controls and policies in the world will provide no protection if employees do not know how to operate the tools in a secure manner. Likewise, the strongest 42-character password with special characters, numbers, mixed case, etc. is utterly broken if an employee writes it on a sticky note attached to their monitor.
5. It’s Assessment Time
From this point the organization is ready for a full-scale PCI DSS assessment and can now enter a maintenance mode where periodic internal audits occur and regular committee meetings are held to perform risk assessments and update policies, procedures, and security controls as necessary to respond to an ever changing threat landscape. PCI DSS must become integrated into the everyday operation of the organization so that the organization remains secure and to ease the burden of the annual assessments. As Bob Russo, head of the PCI SSC stated, “In the case of the PCI standards, it's especially important that it does not become a once a year event like people think of when they think of compliance…You can be in compliance today and be totally out of compliance tomorrow.”