PCI Compliance: Best Practices BY JEREMY SIMON H
AVING YOUR REVENUE CONTROL equipment PCI-compliant does not mean that your company meets the requirements of the credit card industry
for card security. It is only one part of a complex set of regulations that you must follow if your are to be in compliance with the industry’s security standards. You could be in violation now and, in fact, probably are.
The Payment Card Industry Data Security Standards, or PCI
DDS, provides a well-defined list of security requirements, but many organizations are left with more questions than answers when it comes to determining how best to address each requirement in a manner that will be considered acceptable for PCI compliance. When approaching PCI compliance, much of the effort can
often be handled in-house, but it’s also important to know when to ask for help. Misinterpretation of PCI requirements may lead to costly mistakes. To address the need for expert guidance, the PCI Security Standards Council maintains a pro- gram for training Qualified Security Assessors (QSA’s). A QSA is not intended to be merely an auditor, but is also
meant to act as an advisor to organizations working to achieve PCI compliance. QSA’s are trained to provide clarification of the underlying intent of the PCI requirements and to assist organizations in identifying reasonable means of satisfying PCI obligations. The following step-by-step approach for becoming PCI
compliant will help your organization avoid many of the pitfalls commonly associated with the process:
1. Educate Yourself Read the PCI DSS, preferably several times. Make sure you
understand each requirement and try to see the underlying intent of each. Make a list of all the questions you have. Read PCI-related forums and blogs to see how other companies are addressing PCI compliance issues. It’s often helpful to engage a PCI QSA (PCI Qualified Security Assessor) at this point to pro- vide direction and answers to questions that will inevitably arise during the process of becoming PCI-compliant.
2. Determine Your PCI Classification Work with your acquiring bank to determine which mer-
chant or service provider classification level applies to your organization for compliance validation purposes. Each acquir- ing bank is responsible for ensuring the compliance of all of its merchants, so the bank has the authority to determine your company’s PCI classification level.
3. Perform Data Discovery Find out where cardholder data currently exist in your
environment. Identify all payment acceptance channels, map the flow of cardholder data across the network, and identify all places where those data are stored. It is helpful to create a “net- work topology diagram” that shows network segments where key systems reside – then map the cardholder data flow onto
44 JANUARY 2009 • PARKING TODAY •
www.parkingtoday.com
this diagram for a visual repre- sentation of where credit card data
are transmitted,
processed or stored in your network.
4. Whenever Possible, Eliminate Cardholder Data Instead of Securing Them Securely dispose of any cardholder data that are not
required. This may help to reduce the scope for PCI compli- ance and will likely reduce the costs associated with becoming compliant. Most companies will still need to retain credit card data but should make sure it’s stored in a centralized, tightly controlled manner.
5. Define the Scope for PCI Compliance Now that you know where the cardholder data exist, who
has access to the data, and how the network is segmented, the scope for PCI compliance can be determined. The entire enter- prise (in terms of network and staff ) may not necessarily need to be included within the scope of PCI compliance – and prop- er scoping is essential to controlling costs for PCI compliance! The PCI DSS applies to all systems that store, process or trans- mit cardholder data, as well as any systems connected to those (in other words, other systems on the same network segment, not separated by a firewall).
6. Perform a Gap Assessment Perform a gap assessment based upon the established PCI
scope. Determine whether each requirement is satisfied for all in-scope systems. The PCI Audit Procedures provide additional details regarding how to validate the presence of each required control.
7. Implement Changes to Address Non-Compli- ant Findings Build a remediation plan to address non-compliant find-
ings. Implement required controls, write policies, update legal contracts, etc. This step can often turn into an extensive process, depending on the present state of information securi- ty and governance in your organization. PCI requirements include technical, physical and administrative controls, so organizations without a well-developed InfoSec program will find there’s a lot to be built in order to address PCI require- ments.
8. Perform Quarterly Vulnerability Scanning and Annual Penetration Testing Find an Authorized Scan Vendor (see below) to scan all
Internet-accessible systems on a quarterly basis. Remediate any non-compliant findings and rescan until a fully compliant scan report is obtained. Organizations also must perform penetra- tion testing (network and application layers) at least annually or when significant changes are made to the environment.
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52 |
Page 53 |
Page 54 |
Page 55 |
Page 56 |
Page 57 |
Page 58 |
Page 59 |
Page 60 |
Page 61 |
Page 62 |
Page 63 |
Page 64 |
Page 65 |
Page 66 |
Page 67