What should I do to prepare for a PCI audit?

What are some common challenges that companies face in trying to become compliant with PCI?

What is QDSC?

What is difference between CISP and AIS?

Will other Card Agencies accept if our organization is PCI compliant?

How much time it takes for PCI Compliance?

What is the difference between PIN audits and PCI audits?

My servers are in hosted environment. Do I need DSS or PABP or both ?

I am doing scanning from a Authorized Scan Vendor. Am I PCI compliant?

I am BS7799 compliant. Am I straight away compliant with PCI?

What should I do to prepare for a PCI audit?

At a high level, you should seek out the required documentation as mandated by PCI.

You should prepare a Project Plan based on the checklist given to you by a Qualified Security Assessor (QSA). You should identify a single contact co-coordinator. Various administrators will co-ordinate with him/her to complete various tasks.

Your Project Plan should consist of all activities and personnel with dates of completion for activities. Throughout the certification process you should expect to be in regular communication with with QSAPs via conference calls and e-mail. Seven steps that will help guide you through the preparation process include the following:

• Step 1: Establish two PCI Compliance teams. One team represents management to review the PCI compliance procedures. The other team represents IT who are responsible for implementing the controls necessary for PCI compliance.
• Step 2: Go through all the PCI DSS controls one by one.
• Step 3: Complete a detailed scoping study to restrict DSS implementation to only the cardholder network environment.
• Step 4: Once scoped, the management team starts distributing responsibilities for implementation of individual controls.
• Step 5: Conduct a weekly review meeting with both teams. Once a control has been documented, implemented and put into working order, prepare a “controls in place report” that reflects input by the Compliance officer stating the compliance status of the control, whether it is in place or not in place.
• Step 6: Once all the controls are in place, invite a QSA team to conduct a pre-certification audit. Any controls identified as being not compliant or partially compliant should be documented as such.
• Step 7: Once all control objectives are implemented you should now invite the QSA team for the final certification audit.

^Top

What are some common challenges that companies face in trying to become compliant with PCI?

Some common challenges that companies face when attempting to become compliant with PCI include:

• No Intrusion Detection System (IDS) in place.
• Logging and log management is not in place.
• Failure of get Application Security reviews for applications that are used in the processing of credit card transactions.
• Giving administrative access to too many users.
• Lack of segregation between PCI and non-PCI networks.
• Have not properly prepared for the financial and time investment required to become PCI compliant.
• Failure to assign the proper number of employees to the PCI team(s) as needed to become and sustain compliance.
• Failure to have unique login/passwords for all users.
• Ensuring that administrative access is present on all user laptops connecting to PCI network.
• No network DMZ in place.

^Top

In order to perform on-site assessments according to the PCI Security Audit Procedures and have that work product be accepted by the Participating Brands, independent security companies must first be qualified by PCI Security Standards Council as a PCI Qualified Data Security Company - QDSC. The same qualification for Asia Pacific region is called as QSA - Quality Security Assessor.

^Top

The AIS Program is the Visa management of compliance to PCI for Acquirers, Merchants and Service Providers for most regions (compliance is managed regionally). CISP is Visa USA’s Card Information Security Program; basically equivalent to the AIS Program, but not used in Asia-Pacific.

^Top

The AIS Program is the Visa management of compliance to PCI for Acquirers, Merchants and Service Providers for most regions (compliance is managed regionally). CISP is Visa USA’s Card Information Security Program; basically equivalent to the AIS Program, but not used in Asia-Pacific.

^Top

If an organization has segregated the PCI and other environment, it will take much lesser time to become PCI compliant. Secondly, organization has to put all controls as per PCI standard 1.1 in place and should be in a position to exhibit the evidence of the same to QSA. Approximately it may take about 3 to 6 months to become PCI compliant.

^Top

PIN pad device which are allowed to accept credit card swipes need to have PIN pad audits. So these audits are for the devices where credit cards are swiped for acceptance of payments. PCI audits are for merchants and service providers which store, process or transmit the credit card transactions.

^Top

Both. All remote accessing and shared servers should also follow PCI standards.

^Top

No. PCI has two components: Scans and On-site Audits. Although getting the organization's perimeter network scanned from an Authorized Scan vendor every quarter, is a mandatory requirement but it is only one of the requirements for PCI. Getting the organization's perimeter network scanned by an Approved Scanning Vendor (ASV) will not make the organization compliant.

^Top

No. BS7799 is primarily a framework standard. It does not give actual audit procedures. PCI is a specific data security standard to protect credit card data, which gives specific Requirements (12 in number) and controls which should be put in place. BS7799 compliance will not lead you to automatically achieve PCI compliance.

^Top

What follows are some high level requirements that companies face when becoming PCI compliant. Please note, this should not be considered an exhaustive list.

Requirement 1: “Install and maintain a firewall configuration to protect data.”

Requirement 2: “Do not use vendor-supplied defaults for system passwords and other security parameters.”

Requirement 3: “Protect stored data.”

Requirement 4: “Encrypt transmission of cardholder data and sensitive information across public networks.”

Requirement 5: “Use and regularly update anti-virus software.”

Requirement 6: “Develop and maintain secure systems and applications.”

Requirement 7: “Restrict access to data by business need-to-know.”

Requirement 8: “Assign a unique ID to each person with computer access.”

Requirement 9: “Restrict physical access to cardholder data.”

Requirement 10: “Track and monitor all access to network resources and cardholder data.”

Requirement 11: “Regularly test security systems and processes.”

Requirement 12: “Maintain a policy that addresses information security.”

To accomplish this you should consider the following:

• You should continuously monitor your firewall settings and if required change the firewall rule setting.
• You should perform rule audits of your firewall from external independent entity. Also, if architecture changes are required, such should be done immediately.
• You should review your router configurations periodically.

^Top

Requirement 2: “Do not use vendor-supplied defaults for system passwords and other security parameters.”

To accomplish this you should consider the following:

• Disable passwords as soon as something is installed. Also, consider keeping screen shots reflecting this that can be used as evidence for third parties doing audits.
• Harden your systems and constantly monitor them for new vulnerabilities.
• Implement secure communications protocols like SSH, SSL, etc.

^Top

To accomplish this you should consider the following:

• Implement a Public Key Infrastructure (PKI).
• Review your data classification.
• Review your storage methods.
• Reviewing your data retention policies.

^Top

Requirement 4: “Encrypt transmission of cardholder data and sensitive information across public networks.”

To accomplish this you should consider the following:

• Implement a secure communications protocol like SSL or IPSec.
• Use encryption if you have a wireless network.
• Encrypt and regularly audit your email.

^Top

Requirement 5: “Use and regularly update anti-virus software.”

To accomplish this you should consider the following:

• Develop a procedure to deploy/update anti-virus technology. Anti-virus updates are generally automated procedures. However, ensure they are so and capture evidence that you receive regular updates.
• Carry out anti-virus audit on a regular basis.

^Top

Requirement 6:“Develop and maintain secure systems and applications.”

To accomplish this you should consider the following:

• Implement and enforce patch management.
• Implement SDLC security (testing, separate test & production environments, etc.).
• Implement stringent change control procedures.
• Review and thoroughly test Web application code.

^Top

Requirement 7: “Restrict access to data by business need-to-know.”

To accomplish this you should consider the following:

• Classify information in the organization.
• Implement and regularly update a strong data and system-level access control that aligns with how your information is classified.

^Top

Requirement 8: “Assign a unique ID to each person with computer access.”

To accomplish this you should consider the following:

• Eliminate group/batch logon IDs.
• Implement tokens, smartcards, and biometrics for accessing data.
• Implement 2-factor remote authentication methods.
• Implement strong user account security (password strength, account expiration, etc.).

^Top

Requirement 9: “Restrict physical access to cardholder data.”

To accomplish this you should consider the following:

• Add/upgrade facility access controls like swipe card entry to PCI environment, etc.
• Use off-site media storage.
• Add/update media storage and access controls/policies.

^Top

Requirement 10: “Track and monitor all access to network resources and cardholder data.”

To accomplish this you should consider the following:

• Implement log management.
• Implement file integrity monitors.
• Implement IDS/IPS with logging.
• Update log data review/retention procedures.

^Top

Requirement 11: “Regularly test security systems and processes.”

To accomplish this you should consider the following:

• Conduct vulnerability assessment scanning.
• Conduct penetration testing.
• Implement file integrity monitoring.

^Top

Requirement 12: “Maintain a policy that addresses information security.”

To accomplish this you should consider the following:

• Add and/or change as needed required policies.
• Conduct security awareness training.
• Add and/or update incident response procedures.

^Top

We adhere to a fifteen step structured methodology to ensure a consistent and proven means to help you meet your PCI compliance objectives. The fifteen steps are as follows:

Step 1: You review your cardholder environment. It is important that you document the components of the cardholder environment, which are storing, processing and/or transmitting cardholder's information.

Step 2: You prepare a project plan for PCI compliance, based on the checklist given by Quality Security Assessor (QSA). You should identify a single contact co-coordinator. Various other administrators will co-ordinate with him / her for fulfilling various aspects of PCI. The project plan should consist of all activities and responsible personnel, with dates of completion for activities. You should stay in constant communication with Quality Security Assessor Professionals (QSAPs) via conference calls and/or e-mails. Collection of all documentation such as security policies, network diagrams, screen shots of patch updates, etc. needs to be done. If the documentation is in hard copy format, the same should be scanned and stored in soft format along with other documentation.

Step 3: Establish PCI Compliance teams. Separate teams must be developed, one from the managerial side to review the PCI compliance procedure and the other from the technology side to implement controls necessary for PCI compliance.

Step 4: Review your network diagram/s. You must prepare a separate network diagram to highlight the components of cardholder environment which either store, process and/or transmit cardholder data.

Step 5: Go through all the PCI DSS controls one by one.

Step 6: ControlCase will assist you in deciding the scope for the cardholder environment, which must come under the purview of PCI DSS Standard. The stringent controls of PCI DSS, make it necessary that a scoping must be performed, to restrict the implementation of controls only to the cardholder environment.

Step 7: ControlCase assists in implementing the controls for PCI DSS compliance using ControlCase Compliance Manager - a web-based control software which facilitates reporting. You will be given a login ID / password to access ControlCase. You will need to update all the records on ControlCase and attach all records and evidence to support the implementation of controls.

Step 8: Once a scoping assessment is over, the management team then must start assigning responsibilities for implementation of individual controls.

Step 9: A weekly review meeting is conducted involving both the teams. Once a control has been documented, implemented and put into working order, a “Controls In Place Report” is prepared and updated by the Compliance Officer, stating the compliance status of the control, whether it is "In Place" or "Not In Place".

Step 10: You appoint a PCI / MasterCard authorized scanning vendor to perform quarterly scans for PCI DSS Compliance.

Step 11: Once the “Controls In Place” report is complete, a schedule for the final PCI DSS Compliance Audit is prepared by ControlCase and sent to you.

Step 12: Once all the controls are put in place, you should invite a QSA team to conduct a pre-certification audit. Any controls identified as being not compliant or partially compliant should be implemented. A Gap Analysis document will be furnished to you. You then proceed to remove the gaps.

Step 13: Once all the gaps are filled in, you should invite the QSA team for the final certification audit.

Step 14: ControlCase will conduct the final compliance audit for PCI DSS. Once the audit is complete, you shall be entitled to a report, three weeks from the end of the audit.

Step 15: Depending on the compliance level, ControlCase shall either issue a “Report on Compliance” or a “Report on Non Compliance”. This report shall be finally submitted to PCI Security Standards Council.

Considering the PCI DSS Standard, it becomes clear that, for an organization having no compliance to PCI, it would require a large amount of investment to become PCI DSS compliant. Therefore, it is crucial to undertake an initial scoping study to restrict PCI DSS implementation for systems and networks only holding cardholder data. This will enable you to implement controls where necessary for PCI DSS compliance and thus save on investment costs. From an investment perspective, the following hardware and software may be required for PCI DSS compliance, if not already in place.

• Log management system
• Intrusion Detection System (IDS)
• File integrity ensuring mechanism
• Conduct annual Penetration Testing from approved vendors
• Conduct annual Application Security Reviews from approved vendors
• Two factor authentication system
• Remote vendor accesses will have to be regulated and those vendors will also have to go through PCI compliance process
• Hardware Encryption Module and Key Management software
• Web Application Firewall (this Requirement is applicable from 30 June 2008)
• Separate Firewall should be put in place for Wireless Networks
• Video Cameras and recording infrastructure in the cardholder environment
• Access Control System for controlling physical access to cardholder network