Implementing PCI-DSS: The top five issues to consider
John Linkous, IT governance, risk and compliance evangelist, eIQnetworksDecember 22 2008
Talk to anyone who works for an organization that accepts, processes or even looks at a credit card, and the three letters “PCI” strike a chord of fear that is rarely seen in the IT world. While it’s true that the PCI standards – and specifically the Data Security Standard (DSS) – are rigorous mandates that require experienced security professionals to implement and maintain, achieving PCI compliance is not really rocket science. The following is a list of specific issues to consider related to PCI-DSS. This should help ensure that organizations can not only meet the letter of PCI, but actually make their systems more secure:
Implement a security program. Achieving and maintaining compliance with PCI-DSS are two different things. While most of the controls defined in the PCI-DSS standard are technical configurations for hosts and infrastructure devices, organizations are required to maintain these configurations once they are in place. To make that happen, organizations need at least rudimentary security processes in place to ensure that access controls are maintained, anti-malware and other countermeasures are kept up-to-date, and vulnerability assessments are conducted on a regular basis. Without a series of information security processes in place to manage security controls, it’s very easy to fall out of compliance.
Know your assets. The chain of custody around credit card data is one of the most common examples of the lowest common denominator approach to security – the weakest link dictates the likely vector of a malicious attacker. Because a typical credit card payment process can involve many different systems, it is critical to know the information systems that are part of that process, their role, and to what degree (if any) they are exposed to any part of credit card data. If an organization doesn’t have adequate security controls in place on all of these systems, they are at a higher risk of compromise.
Build and maintain a documentation library. Hand-in-hand with knowing what you have is knowing how you manage it. Documentation of all kinds – product and vendor-provided documentation, device configuration worksheets, security processes and procedures, and lists of personnel who have access to PCI data – will all be required as part of the audit process. Having up-to-date information available both for your security program personnel and your external auditors is critical to ensuring that you both maintain security and maintain compliance (which are two separate disciplines).
Awareness and training are crucial. Unfortunately, all of the technical controls in the world cannot stop an employee from inappropriately disclosing or handling cardholder data. While it’s important for organizations to implement technical controls per the PCI-DSS standard, it’s also vital that everyone who has access to cardholder data understand their roles and responsibilities related to the security of data. This includes everyone from point-of-sale personnel who physically touch the card, to DBAs and application developers who manage PCI processing systems, to third-party vendors who have access to limited cardholder information. This requires periodic training, and holding employees, contractors and vendors responsible for their exposure to the chain of custody of PCI data.
Your auditor is your friend. PCI-DSS auditors – both qualified security assessors (QSAs) and approved scanning vendors (ASVs) – exist primarily to ensure that your systems are reasonably secure. While the idea of an external auditor coming on-site to your organization to probe your IT assets and question your personnel may seem like a stress-inducing event, the fact is that even if findings are discovered in your environment, addressing these findings will make you more secure. It is important to challenge your QSA or ASV if they discover findings that you believe are incorrect, but similarly, it is equally important to listen to your auditor and address legitimate security gaps.