RECIPROCITYPreparing for aPCI DSS AuditFive Steps to Successwww.reciprocitylabs.com1

If your organization accepts payment cards, it must comply with the Payment Card Industry Data Security Standard (PCI DSS): twelve objectives that spell out a longlist of requirements. PCI DSS was established in 2006 bythe PCI Security Standards Council, which comprisesfinancial institutions, merchants, processor companies,software developers, and point-of-sale vendors.Established to protect consumers, banks, and credit cardvendors from data theft and fraud, PCI DSS is not a regulatory framework, but rather an industry one. Nevertheless, the price of noncompliance can be steep: hefty fineseach month until compliance is reached, or—possiblyworse—the loss of credit card transaction privileges.In this day and age, havingto say, “Sorry, we don’taccept credit cards” canbe a death knell for anyenterprise.2

Audit or Self-Assessment?Not every merchant needs a full-blown external audit to satisfythe PCI Security Standards Council. Only those with a large number of annual payment card transactions—1 to 6 million or morefor merchant levels 1 and 2 on some major cards—will need toshow a Report on Compliance by a Qualified Security Assessoror Internal Security Assessor. Merchants processing fewer payments can self-assess.Anyone new to a PCI DSS audit may feel daunted by the plethoraof requirements and directives. Admittedly, achieving complianceis no easy task, and maintaining it can be challenging, too. As thethreat landscape changes and technology evolves, so do the PCIstandards. To date, revisions have been issued every few years—some minor, others with many changes.However, PCI DSS is written to make compliance achievable, nomatter the organization’s merchant level or expertise. Do yourwork in advance by following these steps, and you should haveno trouble passing a PCIDSS audit and keepingyour enterprise’s payment card transactions—and the business—running smoothly.3

1Determineyour scope.Sit down with the PCI DSSrequirements—all 281 of them—and scrutinize each and every one,identifying those with which yourorganization needs to comply.Not all requirements apply toevery merchant, so identifyingthe appropriate scope willreduce your work and increasethe auditor’s efficiency.4

The standard stipulates the precise steps you must take toprotect payment card transactions in your cardholder dataenvironment (CDE), which includes: Point-of-sale devices Mobile devices, personal computers, and servers Wireless hotspots Internet shopping applications Paper-based storage systems The transmission of cardholder data to service providers Remote-access connectionsIf this is your first experience with a security framework, you may find the long listof requirements intimidating at first. After spending some time with the document,however, you will find that, unlike other regulatory frameworks, PCI DSS is fairlyuser-friendly. It’s prescriptive, telling you exactly what you must do to comply, and it’sspecific, aimed at protecting one type of information: payment card data. Security andcompliance professionals should find the document comprehensible and clear. If not, youmay need the help of a PCI-savvy consultant or auditor, or quality compliance software.A caveat: although PCI spells out steps and suggestionsfor fulfilling its objectives, meeting them all is timeconsuming and often requires a complex series of tasks,especially for larger organizations.Give your enterprise ample time to prepare, especially for that first audit. Your scopedefining list will help you determine how long you will need to get ready.5

2Minimizeyour scope.There are things you can do pre-audit to minimize the risk to yourpayment card data and devices and, therefore, to narrow thescope of your PCI DSS audit, potentially saving time and expense. Limit access to your CDE with firewalls.Requirement 1.2.1 of PCI DSS advises, “Restrict inbound and outbound traffic to that whichis necessary for the cardholder data environment, and specifically deny all other traffic.”To do this, the framework requires an entity to “install a network firewall betweenthe CDE and corporate network to ensure only designated systems in the corporatenetwork can communicate, via approved ports, to systems in the CDE. Additionally,the entity may use the same, or another, firewall to block all connections and preventaccess between the CDE and an out-of-scope network. In this way, a firewall is beingused to implement a PCI DSS requirement for in-scope systems and network, and isalso used to segment an out-of-scope network.”Firewalls are one way to block access, keeping external users from entering yournetworks as well as keeping internal users from gaining access to information they donot need.6

Encrypt everything.Do you use point-to-point encryption from the moment a cardholder submitstheir information all the way through payment processing? Encryption likely willminimize the scope and cost of your audit. Make sure you’re using point-of-saledevices, software, and point-to-point encryption devices that have been approvedby the PCI council. Analyze your third-party vendor functions.If your enterprise outsources any functions in the scope of PCI DSS or uses a thirdparty service that could affect PCI DSS compliance, make sure the vendor or functioncomplies with the framework’s requirements. It is also important to establish a cleardelineation of responsibilities for each requirement. Analyze your third-party connections.Requirement 2.1 states, “In addition to including internal systems and networksin scope, all connections from third-party entities—for example, business partners,entities providing remote support services, and other service providers—need to beidentified to determine inclusion for PCI DSS scope. Once the in-scope connectionshave been identified, the applicable PCI DSS controls must then be implemented toreduce the risk of a third-party connection being used to compromise an entity’s CDE.”If your organization is small and uses a third-party application to handle all itspayment processing, you need to make sure that processor is PCI DSS compliant. Ifyou retain any payment information, you may opt to use a PCI-approved paymentapplication, recommended (but not required) by the PCI Security Council. If youwant to use a payment application that isn’t already certified, you will need to obtainPCI approval for it—a process that can require much time and effort. Either way, youwill be responsible for ensuring that the application retains its PCI Security Councilapproval and for staying current with patches and updates.7

Segment your networks.PCI DSS recommends but does not require isolating the CDE from the rest of yourenterprise’s network.It states: “Network segmentation of or isolating (segmenting) the cardholder dataenvironment from the remainder of an entity’s network is not a PCI DSS requirement.However, it is strongly recommended as a method that may reduce: The scope of the PCI DSS assessment The cost of the PCI DSS assessment The cost and difficulty of implementing and maintaining PCI DSS controls The risk to an organization (reduced by consolidating cardholder data into fewer,more controlled locations”Without adequate network segmentation (a “flat network”),your entire network will be in scope for a PCI DSS audit.If you place firewalls around your CDE network, however, the audit will apply only tothe portion of your environment where payment information is collected, processed,and stored.Segmentation begins with an examination of the people, processes, and technologiesthat interact with cardholder data. Identify all payment channels and methods for accepting, processing, and storingcardholder information, from the point of receipt to the point of destruction,disposal, or transfer. Include all systems within and connected to the CDE. Implement controls that restrict access to this segment to those who need it. Make sure that in-scope and out-of-scope networks do not communicate. Avoid transmitting cardholder data using wifi, if possible. Dispose of cardholder data promptly and effectively.Keep only the information your enterprise needs, for only as long as necessary. Whendestroying data, use one of the PCI Security Council’s approved methods.8

3Determine howwell you meeteach applicablerequirement.Examine each item on yourlist to determine how well youcomply with each applicableobjective and sub-objective.The PCI website offers tools, including self-assessmentquestionnaires, to help with this step.9

4Test yourcontrols.Now that you’ve got the appropriate controls for PCI DSS, you musttest every one and collect evidence that each is in place and working asit should.Even if you have donethis before, you must testeach control anew—yourevidence must be current.Controls will center on the security of your entire payment card transaction network: the point-of-sale system, the application that processes payment information, where and how the information is stored,security of the routers transmitting the information, how the data isencrypted, and more.10

5Gather yourevidence.In the audit world, doing athing right is only half thebattle—you also must providedocumentation of yourcompliance.PCI DSS is helpful for determining which evidence you willneed to prove the functionality of each control.For example, the framework sets minimum requirements forpassword complexity. Your Active Directory may be configuredto require passwords that meet the standard, but how can youprove that to an auditor? PCI DSS suggests a current screenshot from your enterprise’s Active Directory configurationshowing that it requires properly complex passwords.11

No Easy TaskOnce you’ve followed these steps, you should be well prepared to pass your audit withflying colors. That’s not to imply, however, that PCI DSS is a quick and easy frameworkto master. Its highly prescriptive nature removes much of the guesswork from compliance, but testing all your controls takes time and care, and should not be rushed.Attaining PCI DSS certification could take as long asone year for smaller organizations, and up to two yearsfor larger ones—especially if you’re doing all the prepwork yourself, using spreadsheets.Fortunately, there is a faster and easier way to prepare for a PCI DSS audit, one thatsaves on auditing overhead. Instead of making lists, tracking progress on spreadsheets, and searching emails and documents for evidence, why not let a qualitygovernance, risk, and compliance software do most of the work?ZenGRC can put your organization on the road to PCI DSS compliance by providing anoverview of your compliance and risk posture on a “single source of truth” dashboard.Then, at audit time, it produces the documents required by a Qualified Security Assessor or, for enterprises with fewer transactions, performs a self-audit for you with just afew clicks. Worry-free compliance and hassle-free audits: that’s the Zen way.12

The ChecklistScopeHave you examined each of the 281 PCI DSS requirements and determined which apply to your enterprise?SegmentationIs your CDE segmented and isolated from the rest ofyour enterprise network? Have you:Does your network have a firewall between the carddata environment (CDE) and the rest of the enterprise?Identified all payment channels and methods foraccepting, processing, and storing cardholderinformation, from the point of receipt to the pointof destruction, disposal, or transfer?Does that firewall allow only designated systems tocommunicate with CDE systems using approved ports?Included in this identification all systems within andconnected to the CDE?Does the firewall block all out-of-scope networks fromcommunicating with your enterprise’s CDE systems?Implemented controls that restrict access to thissegment only to those who need it?FirewallsEncryptionDo you use point-to-point encryption from the momenta cardholder submits their information all the waythrough payment processing?Have all your point-of-sale devices, software, and pointto-point encryption devices been approved by the PCIcouncil?Third-party complianceDoes your organization outsource any functions in thescope of PCI DSS? Are those vendors compliant with theframework?Do you have written agreements with vendors establishing who is responsibility for compliance with eachapplicable PCI DSS requirement?Do you use a third party to handle your payment processing? Is that processor PCI DSS compliant?Do you retain any payment information from transactions? Is your payment application PCI-approved? Is itpatched and up-to-date?Tested to be certain that in-scope and out-of-scopenetworks cannot communicate?Ensured that cardholder data does not gettransmitted via wifi?DisposalDoes your enterprise retain cardholder data? Why doyou keep it? Do you keep only what you need?For how long do you retain cardholder data? Do youdispose of it as soon as you no longer need it?How do you destroy and dispose of cardholder data?Has your method been approved by the PCI SecurityCouncil?ComplianceHave you determined your enterprise’s compliance witheach of the objectives and sub-objectives on your list ofapplicable PCI DSS requirements?ControlsHave you recently tested each of the controls on thesecurity of your payment transaction network to ensurethat all are working as they should?Have you collected evidence attesting that each controlis functioning properly?13

About ReciprocityReciprocity provides ZenGRC to the world’s leadingcompanies. Our cloud-based solution with fast, easydeployment, unified controls management, and a centralized dashboard offers simple, streamlined compliance and risk management, including self-audits, without the hassle and confusion of spreadsheets. Contacta Reciprocity expert today to request your free demo,and embark on the worry-free path to regulatorycompliance—the Zen 440-7971