Any organisation that processes credit card transactions is required to comply with the Payment Card Industry Data Security Standard (PCI DSS), says Simeon Tassev, director and QSA at Galix.
This global standard was developed to ensure the payment card processes and all payment card data are secure throughout a transaction. Compliance requirements differ depending on the size of the organisation as well as their role in the process, however, one mistake many enterprises make is in believing that the compliance process is a simple task that takes at most a few weeks.
In addition, organisations need to bear in mind that each area of compliance must be met 100% before moving on to the next stage, and remediation of non-compliant areas can prove challenging. PCI DSS compliance is not an end goal, but a journey, and adequate preparation prior to the audit process is essential.
One of the biggest tasks with regard to PCI DSS compliance and audits is understanding the scope of the project. The scope includes every system, process and person that is involved in credit card data, even if only in the smallest way.
For clients, understanding the relationships between processes, people and technology can be difficult. For auditors, defining the scope and demonstrating the links and relevance to clients is a challenge. The difficulty with defining the scope up front is that often during an audit, investigations will uncover additional areas where payment card data and processes are involved.
Furthermore, areas that are not compliant need to be remediated, and the process for doing so is entirely dependent on the specific scenario. This in turn makes up front costing a challenge for auditors, as they cannot define a concrete scope before the project commences.
In order to ensure the success of a PCI DSS audit, there are many steps that need to be followed and addressed first. Engaging with an auditor in the preliminary stages can vastly improve chances for success. While each auditor has their own steps and strategy, the checklist for compliance remains the same, and in order to move on to the next step, the current step must be 100% complete and compliant.
The first step in the process is the pre-assessment, which is critical to the definition of scope. The pre-assessment process also involves identifying in detail all systems that are in place and creating an inventory of the Cardholder Data Environment (CDE), defined by both hardware and software.
This includes initial data discovery on the network to understand where the data sits and scans of the network to locate cardholder data. It is also essential for the auditor to understand and identify all organisational processes that come into contact with credit card data, and when they come into contact with this data. The trail needs to be identified and followed from capturing information to transmitting and storing it, as well as all elements surrounding it such as business continuity, disaster recovery (DR) and backups. Systems, system components, network elements such as switches, routers, firewalls, applications, databases, file servers and more all need to form part of the CDE, which needs to be accurate and up to date.
Initial discovery and pre-assessment enable the auditor to come up with an initial scope, however, organisations need to bear in mind that this is prone to change, as the process of compliance may uncover additional information and areas that need to be included. Once the initial scope is completed, a gap analysis identifies areas that do not meet compliance requirements. A remediation plan can then be constructed to address this. In addition, auditors must conduct vulnerability assessments and penetration testing, amongst other scans and tests, to identify security levels in accordance with PCI DSS. If these scans and tests result in a fail, the list of identified vulnerabilities must be remediated to protect data and prevent risk.
Identifying a set time frame for ensuring PCI DSS compliance is difficult, as often auditors and organisations will need to go back to areas previously examined when new evidence and information is brought to light. The journey is unpredictable, and can take anything from weeks to months to years depending on the organisation, its size, its role in the process and more. To smooth the process and prepare for compliance, organisations should ensure that their security meets best practice standards, which is necessary for compliance not only to PCI DSS but also other regulatory requirements. In addition, organisations should familiarise themselves with PCI DSS requirements, conduct the self-assessment questionnaire, and start preparing and planning for the journey.
Engaging with a skilled partner such as an auditor in the beginning stages of the journey can help organisations to develop a roadmap to prepare for the audit. While the audit itself is straightforward the process of becoming PCI DSS compliant is complex and often complicated. PCI DSS compliance does not centre solely on a single audit, but on the journey of addressing, remediating and checking off each item on the compliance checklist. If areas are not compliant and will cause an organisation to fail, there is no point in beginning the audit. The preparation and initial phases are of the utmost importance to compliance.