PCI DSS - What it is and what it isn't
What PCI Isn't
Let’s dig in. PCI is not easy, but it can be made significantly easier with the right configuration and tuning of your PCI compliance environment. Through the use of scope reduction techniques such as network segmentation and better tokenization of the payment card.
PCI compliance is not a guarantee that you won’t be breached (think of all the big retailers out there who’ve been breached - I’m sure they all passed their PCI Assessments). PCI done correctly however can greatly improve your chances of preventing a breach and detecting one also.
PCI is not optional, but you can offload some of the burden to PCI compliant third parties and greatly reduce your PCI headache. You can’t outsource responsibility as the old adage goes, but picking a PCI compliant third party who specializes in PCI and securing payment cards is often the right way to go.
What Is PCI
Now that we’ve talked about what PCI is not, let’s talk about what it is. The Payment Card Industry Data Security Standard (PCI DSS) is a solid, comprehensive security standard that applies to all organizations who store, process, or transmit payment card information. There are lots of PCI specific terms and a whole lot of requirements. You can read all about it at the PCI Council Website: https://www.pcisecuritystandards.org/. However, if you are like most – you’ll still have questions. The website does have a list of frequently asked questions, which makes securing the services of a security professional experienced in PCI extremely important.
A PCI assessment is daunting. It is an open book test that is hard to pass. PCI is not very forgiving in terms of the requirements you can fail during an assessment. You have to pass them all - though compensating controls can be applied in some cases. PCI doesn’t really allow you to do much risk acceptance either.
Let’s break down the core requirements for PCI DSS that result in PCI Compliance:
Design, construct and maintain a secure network and systems, including installation of a firewall between wireless network and cardholder data environment
Protect cardholder data
Implement and maintain a strong vulnerability management program
Introduce and execute solid access control measures
Regularly monitor and test networks
Develop and maintain information security policy and ensure proper distribution via training sessions and manuals
While these don’t sound so bad and you are probably thinking to yourself - I already do most of these. These PCI requirements have many sub requirements that total to nearly 300 individual control points you must meet (depending on your configuration). PCI requires documentation supporting the requirements (policies, procedures, or standards) and you will also be required to produce the actual configurations to show you meet the requirements.
You may also be required to have penetration testing and vulnerability scans in support of your PCI assessment. Vulnerability scans by an approved scanning vendor (ASV) are required quarterly and you must pass the scan for all external facing IP Addresses.
External and Internal penetration testing are also required annually. If your PCI configuration requires network segmentation from your internal network (which it definitely would if you store payment cards), Segmentation testing of your PCI zone is also required every six months. Should you have a web application in the scope of the assessment, a web application pen test is also required annually (however, a web application firewall can be accepted instead).
PCI also requires the basic blocking and tackling of information security that you are already doing (or should be) such as user provisioning / deprovisioning, anti-virus protection, patching, configuration hardening, and security awareness training to name a few. Though you may do those basics – you’ll have to have a process in place that provides enough evidence for your PCI Assessor to follow and audit.
Part of the difficulty in PCI is interpreting the requirement. I mentioned it’s an open book test and it is, but you will probably find yourself struggling to interpret the questions. Organizations struggling with PCI Compliance and those who have been asked to comply by banks or customers (especially the first time through) would do well to engage the services of a competent PCI professional.
If you’d like to continue the discussion, please contact me atmark.keppler@sevn-x.com.