How to Reduce PCI Compliance Anxiety

What type of emotions are created in you when you hear the term ‘PCI?’ Anxiety? Possibly fear? For some, it may be disgust. Most favorably, some may feel a sense confidence or enthusiasm. Ok, I agree that enthusiasm is rarely listed as an emotion felt when hearing the term ‘PCI,’ although there may be someone out there who feels enthusiastic about a PCI audit!

A lot of what dictates the emotions felt when considering PCI compliance is based on your company’s preparedness. Here we’ll go over a few things that can help your PCI audit run more smoothly. The following items are not listed in any particular order of importance.

Network Segmentation

Consider segmenting those areas of the network where cardholder data exists from other areas of the network. At a high level, network segmentation involves isolating those systems that process, store, or transmit cardholder data from other areas of the environment. Network segmentation can be achieved through several means, such as firewalls, routers, VLANs, or other technologies that restrict access to the cardholder data environment (CDE). For an area of the network to be considered out of scope, the goal should be that even if the out-of-scope system component was compromised, it would not impact the security of the CDE. One key benefit of network segmentation is that the process may reduce the scope of a PCI DSS assessment, thereby reducing the cost of the engagement. The more elements or components of a system that have to be tested by a QSA, the higher the price tag.

Keep in mind, if segmentation is used to reduce PCI DSS scope, the company’s penetration testing activities (per PCI DSS Requirement 11.3) must include testing of the segmentation controls, to verify they are operational and effective.

Manual Tasks

Ensure that all items based on PCI DSS defined frequencies are completed throughout the auditing period. Many PCI requirements call for either periodic reviews or processes that are performed according to defined frequencies. Each company that is subjected to a PCI audit should have a mechanism in place to ensure that all items are scheduled and performed. The following only represent a subset of those items. For the complete list, please refer to the information provided by the PCI SSC (Security Standards Council) https://www.pcisecuritystandards.org/.

  • Daily – The logs of all security events, all system components that process, store, or transmit CHD and the logs of all critical systems must be reviewed on a daily basis either through a manual or automated means.
  • Weekly – A detection mechanism such as FIM (File Integrity Monitoring) tools that alert personnel to unauthorized modifications are configured to perform critical file comparisons at least weekly.
  • Monthly – All system components and software must be protected from known vulnerabilities and critical security patches installed within one month of release.
  • Quarterly – Internal vulnerability scans by qualified personnel must be performed on a quarterly basis. Also, external quarterly vulnerability scans must be completed by an ASV (Approved Scanning Vendor).
  • Yearly – Policies and procedures must be reviewed annually. Employees must receive security awareness training upon hire and at least annually.  If applicable, developers must attend secure coding training annually.

Security Awareness

Ensure that the required personnel needed to address each requirement are identified and scheduled before the QSA arrives on-site. According to PCI DSS, the Qualified Security Assessor (QSA) must spend time on-site to validate controls for the assessment. During this time, observations can be made by the QSA along with interviewing key personnel. Some of the interviews are performed to confirm the accuracy of evidence that may have already been collected. It has been a personal experience that these interviews work better face-to-face in lieu of phone interviews or via webinars. Sometimes, if the interviews are not scheduled, or if too many of the scheduled interviews fall through, the QSA can waste a lot of on-site time, or worse, the engagement may experience ‘scope creep.’

Ownership of PCI

The project lead at the company being audited should familiarize themselves with the PCI DSS requirements and their meanings. In your spare time (if there is such a thing in today’s workplace) go online to the PCI security standards council website at https://www.pcisecuritystandards.org/ and work on developing a basic understanding of the 12 requirements defined to PCI. This will not only help the engagement run more smoothly but understanding the requirements can help the project lead predetermine the responsible people/departments for each area.

Ensuring You’re Ready

It is recommended that a company who has never been formally audited for PCI compliance perform a PCI Readiness Assessment. This can be done internally by the company, or the company can hire an external QSAC (QSA company). If the desired level of confidence is achieved from the assessment, the company can then consider a more formal PCI Report on Compliance (RoC), performed by a QSAC such as TrustedSec.

All things considered, none of the above items will necessarily make a person ‘enthusiastic’ about PCI compliance, but any or all items can contribute to helping assure that an audit will run more efficiently, giving you peace of mind about your PCI program.

Jonathan White

Author: Jonathan White

Jonathan White started his IT career in the United States Marine Corps as a Computer Programmer. After the Marine Corps, he started a job as a Computer Operator and advanced to serve as Manager of the company’s 24 X 7 data center. This is when he realized that providing solutions to issues and customer interaction was his passion. The next step in his career was as a Network Engineering Consultant for one of the national credit bureaus. In this role, he was responsible for the IP network for as many as 14 local offices in the Southern Region.