Preparing for a Payment Card Industry (PCI) audit requires merchants and service providers that store, process or transmit credit card data to have a detailed security assessment. The purpose of the assessment is to confirm that the merchant or service provider is handling card data in compliance with the Payment Card Industry Data Security Standards (PCI DSS).
I was recently quoted in a BusinessNewsDaily article talking about tips to help merchants and service providers prepare for a PCI assessment. In addition to the two tips mentioned in the article, I’d like to share an additional three tips on preparing for a PCI assessment:
1. Establish operating controls to protect the confidentiality and integrity of any cardholder data wherever it is input/imported, processed, stored, output/transmitted and properly disposed of at the end of its lifespan.
Even if an organization is not storing cardholder data on its systems, a QSA must document the procedures used to confirm that cardholder data is not stored on the organization’s systems.
Even if an organization has not deployed wireless networking, the PCI security standards require periodic attempts to detect rogue wireless networks connected to systems.
Backups must also preserve the confidentiality and integrity of all cardholder data. Additionally, all media must be properly disposed of to ensure the continued confidentiality of the data. Be sure to include not only the hard disks used by company owned computer systems but also leased systems and the storage included in modern copy machines and printers.
The management of cryptographic keys is also in scope. The PCI DSS references the key management procedures published by NIST. NIST has issued special publication (SP) 800-57 that discusses encryption key management. It goes into detail not only on encryption itself (volume 1), but also key management (volume 2). For most organizations volume 2 is the most relevant unless you are using IPSec, PKI or other special cases, in which case, volume 3 would also be relevant.
2. Establish controls to document and distribute security incident response and escalation procedures to ensure timely and effective handling of all compromised situations.
An incident response plan should define roles, responsibilities, communication requirements, and contact strategies in the event of a compromise, including notification of the payment brands. It should include legal counsel and public relations. Another important aspect is business continuity and returning to secure operations as quickly as possible. Ideally, companies should have a certified forensics specialist on retainer who can gather evidence while preserving the chain of evidence, end testify as an expert witness if necessary.
3. Make sure documented controls are in place for users to follow, IT to configure and management to enforce.
An organization cannot safely assume that its employees just know to “do the right thing.” Each organization has the responsibility to educate its employees, contractors and temporary employees about acceptable behaviors, unacceptable behaviors,and how to identify and report suspected security incidents. IT employees should have documentation that addresses configuration standards, logging requirements, data retention requirements, and access control requirements. All staff must be made aware of the potential penalties for not complying with policies and procedures.
Undergoing a PCI audit does not have to be a daunting task If companies follow these guidelines to help prepare for it.