By Elizabeth Whitney, Editor
I recently sat down with two of Accudata’s Payment Card Industry (PCI) Qualified Security Assessors (QSAs), Tim Sills and Anton Abaya, to talk about the challenges companies face as they work towards PCI compliance. Here’s what I learned.
Tim first became familiar with Visa’s Cardholder Information Security Program (CISP) in 2000 and has been a PCI QSA since 2005. Anton has maintained his PCI QSA status since 2008. The customers they’ve worked with include retail organizations (brick and mortar, as well as ecommerce), finance and banking institutions, health care providers, hosting companies, and service providers.
The PCI DSS applies to any organization that stores, processes, or transmits Cardholder Data (CHD). In-scope systems are termed the Cardholder Data Environment (CDE), which comprises the people, processes, and technology that store, process, or transmit CHD and/or sensitive authentication data. A company that is subject to PCI compliance is first notified by its bank or payment processor, which requires the merchant to submit documentation showing compliance typically within six months to a year. This could be a self-assessment questionnaire if its annual transaction volume is low enough, or an onsite assessment by a QSA. Companies found not to be compliant face monthly fines levied by their banks of $5,000 to $100,000 until they can demonstrate compliance. So, if PCI compliance applies to your organization, where do you start?
Step 1: Where do I start? Scope Identification / Gap Assessment
Both Tim and Anton agree the biggest challenge companies face when starting down the path toward PCI compliance is scope identification. Some controls can be sampled and some, such as vulnerability scanning, require the entire environment be assessed. “The biggest challenge first and foremost is determining what exactly we are assessing,” said Anton. “Ideally, the company can limit scope as much as possible to reduce compliance effort, and as the QSA we can plan the most efficient assessment process for each customer’s unique environment.”
Performing a Gap Assessment allows a QSA to analyze how CHD is captured, transmitted, and stored by current applications and technologies. The CDE can extend throughout the entire network and its supporting infrastructure, including switches, routers, firewalls, authentication servers, security systems, and even service providers.
The Accudata Gap Assessment, which leverages the Prioritized Approach published by the PCI Security Standards Council (SSC), identifies the systems that are in-scope for PCI and provides a high-level punch list of remediation tasks that must be implemented to achieve compliance. “For some companies, new to the process, it is overwhelming,” said Tim, “but our Gap Assessment gets them past the first hurdle, which is scope identification and determining which controls apply to their environment.”
Step 2: Remediation Guidance
Once the Gap Assessment is complete, Anton recommends engaging a QSA to provide remediation guidance. With the PCI scope identified, the most common recommendation he gives companies seeking compliance is to narrow that scope. Tim suggests at this stage that companies consider embracing PCI compliant technologies, like iFrame on ecommerce servers, which removes the underlying web server from being in scope, or Point-to-Point Encryption (P2PE), which reduces PCI scope for many retail environments.
Tim and Anton both regularly provide remediation guidance to a wide variety of customers, large and small, and find themselves often recommending scope reduction via network segmentation – isolating the transmission of CHD – as the most cost-efficient method of achieving PCI compliance.
Whether it be scope reduction through segmentation or adopting new technologies (preferably PCI SSC validated solutions) or changing business processes and culture, “the best guidance is to get started right away” said Tim. “We see it more often than not that companies may not start until a month or two before the deadline specified by their payment processor and then they realize the magnitude of this calls for them to completely re-architect their environment and acquire and integrate new technologies.”
Step 3: Assessment
Even if you’re not required to undergo an onsite assessment with attestation, Accudata can provide guidance and controls clarification. Where compliance confirmed by a QSA is required, the assessment can result in a Report on Compliance (ROC) and an Attestation of Compliance (AOC) submitted to the company’s acquiring bank. “At some point, though,” said Anton, “it’s time to lift the hood and start looking at configurations in great detail.” Once deemed compliant, companies must have annual assessments performed to maintain compliance, which, as technologies and security threats evolve that can mean re-engaging this process. A PCI Baseline Assessment can also be a helpful tool for establishing scope and evaluating changes to the environment.
To get your company started on the path towards PCI compliance, contact your Accudata Account Manager or Brian DiPaolo, Accudata’s Assessment & Compliance Practice Director, at BDiPaolo@AccudataSystems.com for more information.