PCI DSS compliance can feel insurmountable. The Payment Card Industry (PCI) consists of credit card service providers such as Mastercard and Visa. The PCI Security Standards Council (PCI SSC) wrote  over 100 pages of detailed data security standard, and the amount of reading necessary  to understand the security standards can feel overwhelming. Meeting PCI DSS requirements means understanding what cardholder information you have, where you store it, and how you protect it. With that in mind, below is an overview of the introductory materials provided by the information security standard.

What is PCI compliance scope?

Determining the appropriate scope of PCI DSS is the most difficult part of the review. When determining scope, you need to define your cardholder data environment (“CDE”), which is basically any area of your computer or networked IT systems or processes that store and/or transmit cardholder data or sensitive payment authentication data. The standard describes “system components” as network devices, servers, computing devices, and all applications, providing six specific examples:

  1. Security services, segmentation services, or services impacting security
  2. Virtual components including machines, switches/routers/appliances, applications/desktops, and hypervisors
  3. Network components
  4. Server types
  5. Internal and external applications
  6. Anything connected to CDE

In addition, the annual review needs to verify the accuracy of the PCI DSS compliance reporting to ensure appropriate vulnerability management.

Do I need to network segmentation to be PCI compliant?

This is the process of isolating the CDE from all the other information in your organization. While not required as a part of PCI DSS compliance, it is a way to reduce scope, cost, difficulty of implementation, and risk.

If you have a non-segmented network (also called a “flat network”), then everything is considered part of the scope and has to be reviewed. Putting up internal firewalls or separating routers can keep information separate. You should restrict cardholder data to as few locations as possible. In addition, make a dataflow diagram to document this for PCI DSS compliance purposes.

Proving segmentation means verifying the isolation of systems that store, process, or transmit the information. However, it’s important to keep in mind that network configuration and legacy technologies can be problematic. When these are not standardized across a whole organization, it can make the mapping difficult.

How do wireless networks fit into PCI compliance?

Any point-of-sale technology (including a web site), line-busting technology, or WLAN used to store, process, or transmit cardholder data is part of the CDE and must be tested as such. PCI-DSS compliance is less cumbersome when using wireless technology for non-sensitive data only.

Can I use of third-party service providers/outsourcing to manage my PCI DSS requirement?

If you use a third party service provider, you need to assess their services carefully. The contract should clearly delineate the parts of the PCI-DSS requirements covered by you and the services provider.

The service provider needs to prove its compliance. There are two ways it can do so:

  1. Annual assessment done independently and provided to their users.
  2. Multiple on-demand assessments at the request of each client.

If the service provider chooses to do its own annual assessment, the customers need to make sure that it covers their compliance needs and is part of the contract.

What are best practices for implementing PCI DSS into business-as-usual processes?

As with all compliance, your program will strengthen if you create a culture of compliance to the point that  it becomes second nature. PCI lists six ways that an organization can make this happen.

  1. Monitor everything.
  2. If something goes wrong, make sure you have processes to act really fast. This includes restoring controls, figuring out the reason for failure, addressing what caused the failure, finding a way to mitigate the cause of failure, and resuming monitoring.
  3. Review any changes to the environment before putting them into action.
    1. Always risk assess PCI DSS impacts.
    2. Review any PCI DSS requirements that are triggered by the changes.
    3. Update your scope and controls.
  4. If you have any changes, such as mergers or acquisitions, in your organizational structure, remember to review the impact on scope and requirements.
  5. Do periodic reviews to prove continued compliance and make sure you have all the necessary documentation to back up those reviews. This means looking at not just the written policies/procedures but also making sure that people are following them.
  6. Review all your hardware and software. If you have hired vendors, make sure to review their PCI DSS compliance annually.

As a qualified security assessor (QSA), how do I sample business facilities/system components?

If you are a large organization with a lot of locations, you can choose to review a random sampling of components for your PCI DSS audit. However, you cannot choose to review only a small portion of your whole environment or review only a sample of requirements. In other words, your whole environment needs to be compliant equally. You sample the locations where the information is stored, not the requirements themselves. You can’t choose parts of the standard you like and ignore others under the guise of “sampling.”

Samples should be twofold. First, you need business facility samples, and second, system component samples.Business facilities are the physical locations where information is stored. System components are the software and hardware used in those physical locations. These samples need to be representative and large enough to capture a good snapshot of your overall landscape.

When selecting your samples, you need to think about the following:

  1. You can make your sample smaller if you have a centralized, standardized process and controls that everyone has to follow. If you don’t have a standardized process, then you need to make sure your sample is big enough to show that every location is complying with PCI DSS.
  2. If each business area has its own way of doing things, the sample needs to make sure that each of these methods of compliance are reviewed.
  3. If everyone is handling compliance independently and no standards exist, the sample needs to be larger to survey all the different ways the various facilities do things.
  4. System component samples need to ensure a review of every type and combination used. This means making sure that different versions of applications, platforms, and hardware are documented.

Whenever you choose sampling,

  1. Document how you made the decisions about location, component, and sample size.
  2. Document and validate which of the sample types above you used (organization standards, business area standard, location standards).
  3. Explain why the sample is a good overview of everything in your organization.

Compensating Controls

Review all your compensating controls annually.

PCI DSS compliance requirements specifically state ways in which you can be compliant. However, before getting compliant, you need to understand where your organization stores information and what information it stores. By reviewing the information provided in the prologue portions of the standard, you can negotiate the approach to compliance.

For information on how ZenGRC’s preloaded content can help you get compliant faster, contact us to schedule a demo.