PCI DSS: Testing Controls and Gathering Evidence

Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is not easy to achieve. Quite the opposite, in fact: A 2017 Verizon report stated that 80 percent of companies fail their PCI DSS assessments, and only 29 percent of those that pass are still compliant after one year.

PCI DSS compliance, like information security as a whole, is not a one-and-done process but ongoing. To succeed, your enterprise must be vigilant.

And comply you must, if your organization wants to do business. Penalties for non-compliance can be high—even crippling— but never fear. With planning and preparation, you can obtain that coveted Report on Compliance (ROC) or Attestation of Compliance (AOC) with relative ease.

Here’s how: Before every PCI DSS audit or self-assessment, you must test the controls around your cardholder data environment (CDE), remediate issues, and collect evidence that those security policies are working as they should.

Best practices for staying in PCI DSS compliance include:

  •     Frequent testing of organizational system and security controls
  •     On-site audits or assessments every year
  •     Quarterly scans of your systems by an Approved Scan Vendor (ASV)
  •     Documentation of your enterprise’s policies, procedures, and activities involving the processing, storage and transmittal of credit card information or cardholder data.
  •       Documentation of your systems and controls testing.

Once you’ve completed these steps, present the test results and other evidence of your PCI compliance efforts to the Qualified Security Assessor (QSA) performing your audit. Otherwise, your organization may face:

  •     A bigger-than-necessary audit bill as the auditor has to run the tests and collect the evidence themselves
  •     Costly fines for non-compliance if you fail your audit or self-assessment. Testing and remediation will greatly increase your chances of obtaining your Record of Compliance or validation.
  •     The loss of your enterprise’s ability to accept credit card payments—a crippling blow for any business

Even if you have run these tests before, you will need to do so again before each audit. The evidence you provide showing that you meet PCI DSS requirements must be current.

What is PCI DSS, and Why Does It Matter?

Established by the PCI Security Standards Council (PCI SSC), a consortium led by credit card companies Visa, Discover, JCB, Mastercard, and American Express, PCI DSS is a set of data security standards that all merchants and service providers must meet if they process credit card data.

The framework aims to secure credit card and cardholder data from a data breach. Acquiring banks, which are the financial institutions that process credit card transactions, demand continuous compliance from merchants and entities that provide certain services to those merchants. 

To meet the stringent requirements, regularly testing the security of your payment systems end-to-end is key.

How Do I Test Controls and Gather Evidence?

The controls you must test will center on the security of your entire payment card trans­action network: the point-of-sale system, the application that process­es payment information, where and how the information is stored, the network security of routers transmitting the information, how sensitive data is encrypted, and more.

  •     Risk assessment provides a critical foundation for PCI DSS compliance. Assessing risk organization-wide will help you to establish the most secure environment for credit card and cardholder data protection. Make sure that the assessment specifically addresses credit card data risk, and that remediation is documented.
  •     The PCI DSS requirements, 281 of them in 12 categories, spell out prescriptively how to put in place the controls your organization needs to comply with the framework. The directives address encryption—specifying, for instance that you should be using Transport Layer Security (TLS) rather than the outmoded Secure Socket Layer (SSL); network segmentation; third-party vendor security; security awareness training, and data disposal, among many other components of a functioning security program.
  •     Penetration testing, either by an internal employee or an independent, qualified third-party, is required throughout the CDE. The testing includes vulnerability scans, and finds gaps in your payment card system’s security and processes.
  •     Segmentation testing, required annually if your organization segments its CDE from the rest of its network, is a part of penetration testing. Its goal is to verify that segmentation methods are working efficiently, and to isolate CDE systems from those that are out of scope.

Once you have tested and verified that your controls are working, you will need to prepare an audit trail of documents demonstrating your efforts at PCI compliance. Documentation may include emails, system and network logs, policies, procedures, protocols, network configurations, system architectures, and any other written materials that show how your CDE’s security is protected.

Get Help if You Need It

The road to PCI DSS compliance can be long and arduous: at least two years for bigger companies and a year or more for smaller ones. If you’re using old-fashioned spreadsheets to keep track of all the directives and where you measure up (and don’t), you’re doing it wrong.

In today’s digital business world, there’s a much better way to become PCI DSS compliant.

ZenGRC, our user-friendly software as a service, scans your systems against the hundreds of PCI DSS directives and shows where your enterprise complies and where it falls short on an easy-to-read “single source of truth” dashboard.

ZenGRC lets you audit your CDE with just a few clicks, as often as you like, enabling you to remediate problems and close compliance gaps before your official, on-site audit or self-assessment begins.

ZenGRC also generates, stores, collects, and organizes all the documentation you’ll need at audit time. This leaves you free to work on keeping your systems and networks secure, and your clients and customers happy.

Worry-free, hassle-free PCI DSS compliance: that’s the Zen way. Call a Reciprocity expert today for your free consultation.