Wednesday, November 09, 2011: 11:05:13 PM

Retailing Guest Column

The Eight Simple Steps for Successful PCI Compliance - Ashish Thapar, Verizon Business

The exponential growth of data within organisations comes not only with greater challenges but also increased responsibility

Freakin' Awesome! Freakin' Awesome! Freakin' Awesome! Freakin' Awesome! Freakin' Awesome!

Many organisations view data as power. However, in reality, the more personal data they store, the more they are exposed to potential data breaches and vulnerabilities.

For the second year in a row, a Verizon report has found that too many businesses are struggling to comply with payment card security standards, putting consumers’ confidential information at risk. The Verizon Payment Card Industry Compliance Report found that most businesses that accept credit or debit cards, or both, continue to struggle to achieve and maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS). As a result, they are at greater risk of losing confidential customer information and falling victim to credit-card fraud.
The report found that only 21% of organisations were fully compliant during the initial audit. Businesses continue to fail to maintain compliance even though they face steep penalties, including fines and increased transaction fees from the credit card brands. Businesses also now face pressure from their partners and customers to demonstrate continued compliance. Most importantly, non-compliant organisations are more likely to be breached and suffer from identity theft and fraud issues.
It is actually quite simple for companies to gain a deeper insight into PCI DSS – which will help them to achieve a high level of success throughout the compliance assessment and beyond into implementation. Key guidelines are as follows:
Start early
One of the common misconceptions about PCI DSS compliance is when to begin compliance project planning. For the best chance of success, organisations should really look to begin the compliance journey as soon as they decide to accept payment cards or explore a new acceptance channel – for example, connected with an e-commerce venture, or a new point of sale (POS) system.
Organisations then need to adopt a prioritised approach to PCI DSS – not least as this helps to simplify the process. The approach required will probably vary from one organisation to another, so putting in the time upfront to identify key risk areas will help realise real benefit. For example, a large retail organisation may place higher priority on requirements that impact their POS network and retail stores; a call centre may prefer to focus on data retention and encryption - each organisation should prioritise based on their specific environment and systems as well as their appetite for risk. Working with a trained and experienced third party professional to develop the compliance roadmap at this early stage can be extremely effective – and invariably, money invested helps smooth the overall compliance process, achieving cost efficiencies in the longer term.
Limit the scope
The scope of PCI DSS compliance is driven by the way cardholder data is being stored, processed and transmitted at any merchant or service provider. That organisations should segregate the cardholder data environment to the maximum extent possible, by implementing firewalls between different network subnets, would seem a given. However, this can actually be difficult to do, and especially in legacy environments where security has historically been focused on protecting the organisation’s perimeter. The 12 requirements of PCI DSS apply to all system components, which are defined as any network component, server or application that is included in or connected to the cardholder data environment. If there is no adequate segregation between the subnets, then the organisation’s entire network can become in-scope for PCI DSS assessment.
Only keep what’s really necessary
There is one golden rule in PCI DSS compliance: if you do not need it (i.e. cardholder data), do not store it.
It is important to objectively evaluate what data is really needed to run a business operation, and understand how it flows throughout the business. It is also important to know what qualifies as cardholder data and consequently what needs to be protected and what is prohibited for storage – for example. ‘sensitive authentication data’ is not permitted to be stored post authorisation, even if encrypted or hashed. However, some organisations mistakenly believe that storing this data post authorisation is required for certain business purposes (e.g. for posting recurring transactions on behalf of the customer), avoiding payment conflicts, and charge-back situations). In reality, there is no justifiable business reason to store such data post authorisation as none of the scenarios listed above requires re-submission of sensitive authentication data.
Follow the intent behind controls
Security staff at many organisations tends to look for a readymade checklist or an off-the-shelf tool to simplify their security compliance tasks. However, while a checklist or tool can provide an organisation with a quick and verifiable methodology to achieve a control objective, what is more important is to meet the intent of that control in its entirety. At times, a checklist/tool may give a rosy picture, while things might not be as good as they look. So while a checklist is always useful, it is much more important to also apply judgment to determine whether the efforts invested really match the baseline intent of the requirement. 
Involve all stakeholders
PCI DSS compliance is not only an IT project – rather involvement from all organisational stakeholders should be secured up front. The project team should include representatives from all functional groups - information security, business operations, administration /facilities, human resources and, last but not least, IT. PCI DSS requirements span all organisational departments, and the active engagement of these functions has a crucial role to play in driving – and then maintaining – PCI compliance.
Don’t be Complacent
PCI DSS is a unique standard that is devised, maintained and enforced specifically to protect payment card data, and requires special attention and focus – even (and perhaps especially) if an organisation has already implemented other security standards. The level of detail that goes into the PCI DSS can be a little overwhelming – and certainly the standard leaves little scope for assumptions and flexibility, and may require changes to business practices or technology components usually followed in meeting compliance requirements. Organisations should therefore always pay specific attention to the detail required when embarking on a PCI DSS project.
Vendor compliance is the key
In the journey towards PCI DSS compliance, organisations can forget about the respective compliance of their vendors/service providers. PCI DSS requires all controls to be met to achieve compliant status – partial compliance is not an option. It is therefore crucial that the compliance status of vendors/service providers is also taken into consideration if they are involved with the data handling process. Even when work involving cardholder data is transferred to these organisations, accountability still lies with the initiating (main) organisation.
Document everything
Organisations looking to achieve PCI DSS compliance should perhaps remember one final mantra - document what you do, and do what you document. PCI DSS requirements strongly emphasise evidence of documentation and evidence of implementation effectiveness. These two fundamental requirements are achievable if and only if an organisation religiously documents all implemented controls and maintains implementation of controls as documented throughout the entire process.
The bar is constantly being raised and in October 2010, the PCI Security Standards Council announced PCI DSS version 2.0. This version requires a more stringent executive summary and validation of methodology for scope definition. The reality is that organisations, many of which are having severe issues complying with the existing standards, need to quickly get ready for the new version.
Ashish Thapar, CISSP, CISM, CISA, PCI-QSA, PA-QSA, GCFA, Principal Consultant - Professional Services at Verizon Business

Rate me....
Mail this article Mail this article Print this article Print this article

Contribute/ Share your Opinion


Page 1 of 5



Magazine Issues


logo Other Times Group Sites: