Practically Speaking PCI-DSS: A Step-by-Step Payment Card Security Approach
If your company accepts payment cards (credit, debit or prepaid) or transmits or stores cardholder data, we understand that security concerns may keep you up at night. Recent data breaches at Target, Neiman Marcus, and Michaels, to name a few, demonstrate how vulnerable companies can be to cybercriminals. Beyond the large retailers that have experienced breaches, small, mid-size and online-only retailers are also feeling the heat.
The Payment Card Industry Security Standards Council (including the five founding global payment brands, American Express, Discover Financial Services, JCB International, MasterCard and Visa) incorporated the PCI Data Security Standard (PCI-DSS) as the technical requirements of each of their data security compliance programs to help merchants protect valuable customer data. Compliance with the PCI-DSS is enforced by contract, fines, pass-through fraud charges and by the threat of being excluded from the card processing ecosystem. However, as an in-house counsel, CIO, or CISO, you may find that making sense of just the main 112-page PCI-DSS 3.0 document is a daunting task. Luckily, there is a practical and comprehensive way to approach the PCI-DSS. For those of you thinking of reviewing your enterprise payment card security, we recommend the following approach:
STEP 1: Assemble the Team
Bringing your company into compliance with the PCI-DSS will require the internal cooperation of team members in most of your company’s departments such as: IT, Compliance, Facilities, Business, Legal, Human Resources, Project Management and Executive teams. The 12 requirements of PCI-DSS span across different departments within an organization. Identification of the appropriate subject-matter expert from each department and active ongoing participation of the subject-matter experts will help maintain compliance with the PCI-DSS. Giving full responsibility for the entire PCI-DSS compliance project to an IT manager is highly discouraged and can be a recipe for delays and cost overruns. Simply put, the IT manager will not be armed with sufficient information to do his/her job. Payment card processing is a core business concern that requires a multi-disciplinary team. Decisions such as the following are commonly taken in the PCI-DSS review process:
- Reducing or eliminating payment card data storage,
- Approving system downtime for redesign of severs or networks,
- Retooling identity and access management systems, and
- Justifying the business need for storage, processing or transmission of payment card data.
These are just a few examples of actions that cannot be resolved by an IT manager in isolation. Similarly, controls related to human resources and facility services are to be governed and managed by the respective functions. Because there will be significant cross-department communication and risk determinations, strong project management is key. View PCI-DSS compliance like a very large compliance review or product build-out: you will need a strong Project Manager to get the company over the compliance goal post.
Externally, consider hiring a Qualified Security Assessor (QSA) to assess your company’s compliance with the standard. Make sure that the QSA you choose is licensed by the PCI Security Standards Council using this tool. If a QSA will be hired, consider the fact that he or she is a third party and his/her communications are likely discoverable. Unless you feel confident that no significant non-compliance will be found, involve legal counsel in hiring the QSA and ongoing evaluation of the QSA relationship.
STEP 2: Scan Your Systems
Scan your company’s entire system environment to identify databases and systems with payment card information. It is important to remember that scanning software frequently misses certain card use cases, such as payment card numbers voiced in call center audio recordings, handwritten card information on scanned forms (or any other document that is not in text-recognizable form) and card numbers in enterprise e-mail systems.
STEP 3: Data Store Decommissioning… Don’t Need It? Don’t Keep It
You may find that you have systems and databases with payment card information that you don’t need. Retire any systems and databases that are not actively in use. Work with your IT group to ensure proper data wiping and drive disposal of any databases that will be decommissioned.
STEP 4: Network Segmentation… Minimize the Amount of the Network Subject to PCI-DSS Controls
It is likely that your network can be structured to avoid subjecting the entire network to PCI-DSS hardening. Instead of hardening the entire network, a less expensive and time-consuming approach is to migrate systems and databases with payment card numbers to a dedicated network segment. Please note that any shared infrastructure, such as firewalls, servers in a virtual cluster, storage facilities, mirroring, and backup, must be appropriately hardened. You should have your network segmentation architecture vetted to avoid intermingling the more-secure PCI environment with the non-PCI environment.
STEP 5: Implement Policy and Programmatic Changes to Your IT Standards
In addition to implementing the PCI-DSS technical controls on the in-scope portion of your network, you must document a number of policy, program and procedural changes. Review your company’s policies and procedures to ensure that they are compliant with PCI-DSS and that they actually are implemented. Many of the practices required by PCI-DSS are generally good IT practices, so if possible, review your entire information security program and add in specifics regarding PCI-DSS.
Bear in mind that before a payment card breach happens within your environment, the company has the benefit of prioritizing specific needs, scheduling appropriate compliance discussions and budgeting for PCI-DSS implementation. This means that you can break compliance reviews into phases and minimize the impact on your internal technical teams that must keep your business running. Once a payment card breach happens on your network or systems, the payment card brands will require a clean third-party PCI-DSS audit before the case can be closed. If you are in that situation, you lose some of the ability to drive timing and to conduct resource management.
Want to learn more? PCI-DSS compliance will be one topic in our upcoming fall Security Boot Camp series. We will also address topics such as HIPAA security standards compliance and understanding IT Audit standards. We will post a blog entry on our security boot camp series shortly and we will be inviting our blog readers to also submit topics of interest to them.
Featured Photo By Shardayyy from Flickr Photo Cropped