8 COMPLIANCE TIPS FROM QSAS
This post contains the text from the White Paper: How to Prepare for a PCI DSS Audit. Download the PDF below.
Payment Card Industry Data Security Standard (PCI DSS) audits can be seen as a necessary evil or even an adversarial activity, making the auditor the “bad guy.” But PCI DSS auditors want you to succeed in compliance and data security.
No matter the type of business, whether you have a merchant or service provider environment, we see similar problems. These often exist before or during an audit and ultimately slow audit progress. Between understanding PCI DSS requirements, being told what you’re doing wrong, and learning what needs to be fixed, customers can be exhausted by the end of the audit.
Fortunately, if you prepare properly for your next audit, it will go more smoothly, making you, your company, and your auditor happy.
In this white paper, Qualified Security Assessors (QSAs) from SecurityMetrics offer their best recommendations on how you can save time on your next PCI DSS audit and maintain PCI compliance.
1. MAINTAIN ACCURATE NETWORK DIAGRAMS
Accurate network diagrams (see example below) are vital because they show how your systems interact with card data. Systems in your network that store, process, or transmit card data need to be properly secured and separated from other systems on your network.
Many merchants have big flat networks with a firewall at the edge, but that’s it. Everything inside the network is connected with each other. Flat networks make securing card data extremely difficult because your entire network is in scope for the PCI DSS.
To avoid network problems, you should create a diagram that shows how cardholder data enters your network, the systems it touches as it flows through your network, and any point it may leave your network (e.g., sent to a payment processor). You’ll want to maintain a diagram for each card flow that exists. Some businesses will have just one flow, but you might have an additional flow if your website processes payment cards.
The purpose of the flow diagram is to help you understand which systems store, process, or transmit cardholder data. You can examine your actual network and decide how it fits into your card flow diagram by asking yourself:
- How is my network constructed?
- Is there one firewall at the edge of my card-processing environment?
- Is my network segmented internally?
- Does my environment have a multi-interface firewall?
- Do I have multiple firewalls?
You can then make adjustments to your network to make sure it’s properly set up.
“Maintain an accurate network diagram. I often see diagrams that represent a PCI compliant network, but actual network configurations usually reflect otherwise.”
QSA, CISSP, CISA
2. DON’T ASSUME YOU’RE COMPLIANT
PCI DSS is an evolving standard. It’s designed to ensure businesses that process, store, or transmit payment card data implement security practices to prevent cardholder data theft. Over the years, technology and business have gone through extensive changes, and PCI DSS has needed to evolve to meet security concerns. For example, when the PCI DSS was first established in 2006, merchants did not widely use mobile devices to accept card payments.
Since January 31, 2018, PCI DSS 3.2 was in effect, and it has already been revised (i.e., PCI DSS version 3.2.1). Now that those things are solid requirements, they all need to be met and attested to. Since January 1, 2019, merchants have needed to be compliant with PCI DSS 3.2.1 requirements and be assessed against those standards. With a continuously updated standard, you can’t assume that once you achieve PCI DSS compliance you will always be PCI compliant.
Paying attention to your PCI scope is also vital for your business. Incorrectly identifying PCI scope is a common compliance issue. The PCI DSS defines your scope as “all system components included in or connected to the cardholder data environment (CDE)” (i.e., people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication). Reviewing your scope is important to knowing if you need to change business policies and practices.
If you change the way you process cards or plan to make adjustments to your cardholder environment, consult with your QSA to see the impact it will have on your PCI DSS compliance.
“It is a good idea to re-evaluate your compliance to each control every year. As you gain more experience with PCI, your understanding of the requirements will evolve and you are likely to find you have not been following specific requirements as closely as you believed. Adjustments can be made, and your environment can be improved. In addition, requirements evolve to keep up with the advancement of threats in the IT space. Don’t assume that just because you were compliant to a particular control last year, you’re automatically compliant this year.”
QSA, CISSP, CISA
3. UNDERSTAND YOUR RISKS
Requirement 12.2 states that all entities must annually perform a formal risk assessment that identifies critical assets, threats, and vulnerabilities. This requirement helps organizations identify, prioritize, and manage information security risks.
Organizations that take a proactive approach to security will use internal and external resources to identify critical assets, assess vulnerability threats against those assets, and implement a risk management plan to mitigate those threats.
A risk assessment should occur at least annually and after significant changes in your network. PCI compliance and security should not be treated as a single point in time event. A proper risk analysis will provide direction on what vulnerabilities you should address first. Properly addressing vulnerabilities decreases the time an attacker can compromise the system (i.e., window of compromise). This decreases the probability of a compromise and reduces risk.
Your scope includes people, processes and technology. Even assets that may impact the security or are simply connected to your CDE are included. It is important to consider all the potential risks, threats and vulnerabilities associated. Identifying these things will assist you with prioritizing. A risk analysis is a great way to make intelligent, educated business decisions.
“Risk management is a critical task for any organization. Understanding the threats to your business and how you prioritize and mitigate the associated risks is part of being a responsible business. This best business practice is a bare minimum requirement for keeping your CDE secure and doing your due diligence to protect CHD.”
QSA, CISSP, CISA, PA-QSA, CISM
4. INTERNAL EXAMINATION
Annual onsite PCI DSS assessments and penetration testing can provide valuable information about an organization’s security posture and PCI DSS compliance status. However, it is important that organizations remember that PCI DSS compliance is not just an annual task. Maintaining compliance throughout the year can be challenging as much can change between annual assessments. Changes to the threat landscape, application or system changes, staff turnover, and regulatory adjustments are just a few examples of issues that may cause an organization to fall out of compliance with PCI DSS.
In order to help ensure ongoing compliance and to minimize the burden of an annual PCI DSS assessment, it is critical that internal staff monitor and test critical systems and processes throughout the year. Think of compliance like brushing your teeth, and an audit is similar to a dentist’s checkup. A dentist can tell you if and where you have cavities or other problems, but if you do not maintain good brushing and flossing habits between check-ups you put your oral health at risk and your next visit to the dentist will likely involve more expense and pain.
If breached, you may only be liable for a few of the following fines, or you could be expected to pay more than what’s listed below. It depends on a number of factors. Along with possible legal fines, federal/municipal fines, and increased monthly card processing fees, you may have to pay for the following:
DATA BREACH FINES
Merchant processor compromise fine
$5,000 – $50,000
Card brand compromise fees
$5,000 – $500,000
$12,000 – $100,000
Onsite QSA assessments following the breach
$20,000 – $100,000
Free credit monitoring for affected individuals
$10 – $30/card
Card re-issuance penalties
$3 – $10 per card
Breach notification costs
TOTAL POSSIBLE COST:
$50,000 – $773,000+
“To help ensure a smooth annual assessment, perform your own internal auditing during the year. During assessments, we often find that critical IT security controls are no longer working as expected or due to staff turnover processes designed to maintain compliance have not been followed.
For example, card processing systems may not be receiving critical vendor updates, quarterly vulnerability scans may not be performed due to changes in staffing, or antivirus solutions may not be receiving definition updates due to connection issues or misconfigurations. These types of security control failures can put the security of your customer’s data at risk not to mention putting your organization out of compliance. Internal auditing will help to ensure the controls you believe to be in place in the environment are actually working as expected.
Failures in these critical security controls or the breakdown of security processes have been enough of a concern that the PCI Security Standards Council added two new requirements in version 3.2 or the standard. Requirements 10.8 and 12.11 are designed to ensure that internal safeguards and periodic checks are in place to ensure these failures do not go unnoticed. While these requirements are only applied to service providers, the principal behind them apply to all organizations with sensitive data to protect.”
— Michael Simpson
QSA, CISSP, CISA
5. TALK TO YOUR ASSESSOR DURING THE YEAR
QSAs often see the full range of merchants’ and service providers’ struggles with PCI compliance. Auditors usually enjoy sharing their knowledge about compliance. They love to see when IT or compliance managers try their best to keep on top of compliance. If you experience a few rough patches, an auditor will gladly help.
If you can communicate with your QSA throughout the year, do it. Within a year, businesses grow; card data environments change; and PCI DSS requirements are revised. QSAs are a great resource to help you plan for your audit. This has the added advantage of providing more time to fix anything that may come up.
Whenever there are significant changes to your environment, you should discuss potential issues or problems with your QSA to avoid the headache of reimplementation. Often, they will give you advice or warning about problems they’ve seen in their audits.
“I have seen customers change things in their environment not realizing the compliance implications and then struggling to remediate issues after their audit. Changes in your environment are a discussion point with your QSA. Your QSA deals with a wide variety of environments and can alert you to potential compliance issues. Many times, an organization will focus on functionality and not realize potential compliance problems like an increase in scope from network changes.”
QSA, CISSP, CISA, PA-QSA, CISM
6. GET STAKEHOLDERS INVOLVED
You need to know exactly where card information is being stored, processed, or transmitted. Requirement 1.1.3 requires organizations to have a current cardholder data flow diagram. Once you know where card information flows/stores and which systems they interact with, you can easily create a card flow diagram to show how data moves within your environment.
After discovering where systems store, process, or transmit cardholder data, business stakeholders need to get involved with new procedures and with general PCI compliance.
For example, ask your staff to find other places where data might be hiding or unknowingly stored. The following are common areas and departments that store data:
- Error logs often store unencrypted credit card data because when an error occurs during card authentication or processing, an error log is generally created and often contains the full card data.
- Accounting departments usually have processes that store unencrypted data for financial purposes (e.g., refund processes, book balancing, charge reversals).
- Sales departments may unintentionally email or print forms containing credit card numbers.
- Marketing departments may have databases containing transaction data used for market research.
- Customer service representatives may take credit card numbers over the phone or view full card numbers, so watch for handwritten or printed card data.
- Administrative assistants may create a spreadsheet that contains a company’s or an executive’s credit card number for quick access when making payments.
“Understand the different card data environments and be involved with business stakeholders as they implement new ideas so that security is baked into new projects.”
QSA, CISSP, CISA, MCIS
7. KEEP DOCUMENTATION UPDATED
Documentation can be a pain for some businesses. Some may see it as another burden. However, proper documentation protects your organization, especially by keeping your security processes transparent and in order. Make sure documentation is regularly updated.
For example, documentation may also help protect your business from potential liability in the event of a breach. Thorough, accurate and documented security policies and procedures helps forensic investigators see what security measures your company has established.
Service providers must have executive management create a PCI DSS Charter (PCI DSS req. 12.4.1). This charter must establish responsibility for the protection of cardholder data and a PCI DSS compliance program, including overall accountability for maintaining compliance. It must also define how the person responsible for compliance will communicate with executive management.
To fulfill requirement 12.8, you must have a list of all third-party service providers, have written agreements in place with the service providers, have an established process for engaging service providers, annually monitor their PCI DSS compliance and document the PCI requirements those service providers handle and which the PCI requirements you manage.
Remember, you should document when changes occur for your business policies or card data environments (e.g., security policies, software/hardware, firewall/router, diagrams). These changes might alter your PCI compliance implementation.
“Keep your documentation updated. There are few things more enjoyable than walking into an audit and having the client provide current documentation updated to reflect all business compliance activities and changes within the PCI DSS requirements. Throughout the duration of the year, businesses grow, card data environments change, PCI DSS requirements are amended, and those changes need to be reflected in the documentation.
This includes, but is not limited to, changes within security policies, software and hardware found within the card data environment, firewall/router configurations and rule sets, network/card flow diagrams, personnel roles and responsibilities, and the software development life cycle.”
QSA (P2PE), PA-QSA (P2PE), CISSP, CISA
8. ASSIGN A COMPLIANCE LEADER
PCI compliance isn’t just checking “yes” on all the Self-Assessment Questionnaire (SAQ) questions (even though many merchants likely do this). Actual compliance requires you to implement each of the line items.
Yes, PCI can be time-consuming and difficult at times. That’s why it’s best to assign one person to be responsible for PCI compliance, and this individual should be given enough resources and time to adequately handle PCI compliance. Compliance officers need to be able to challenge and correct business procedures and policies.
In preparation for an audit, compliance officers or project leads ideally have:
- An understanding of audit security jargon
- Transparent and eager attitudes to their questions and suggestions
- A PCI audit checklist complete with questions to ask the auditor
- Printed copy of last year’s ROC
- Documentation on how the environment is coping with recent vulnerabilities
- Talked with key stakeholders to help them understand the organization’s risks
- Checked event logs regularly
- Documentation on how third-party security risks are mitigated
- An understanding of PCI DSS 3.2.1
- An understanding of your PCI DSS scope
“Often there is not a ‘project lead’ at a company that takes responsibility for the full compliance effort. Or, if that person exists, they are not empowered to insist on change in other groups’ security postures.”
QSA, PA-QSA, CISSP, CISA
PCI compliance should not just be a once-a-year task to check off. Throughout the year, your workforce, technology, card data environment, and security processes change, which is why you are required to maintain PCI compliance every single day.
To help with compliance, keep in contact with your QSA throughout the year, especially when you are planning any changes to your cardholder data environment.
We help customers close security and compliance gaps to avoid data breaches. Our forensic, penetration testing, and audit teams identify best security practices and simplify compliance mandates (PCI DSS, HIPAA, HITRUST, GDPR). As an Approved Scanning Vendor, Qualified Security Assessor, Certified Forensic Investigator, we have tested over 1 million systems for security.