By Paul Brennecker, PCI QSA, PCI PFI, PCIP, Principal QSA, Security Risk Management Ltd
“Is it hard?’
Not if you have the right attitudes. It’s having the right attitudes that’s hard.”
Robert M. Pirsig, Zen and the Art of Motorcycle Maintenance
Is it hard to be PCI DSS compliant? Not if you have the right attitude. PCI data security compliance is not about ticking the box on a particular day; it’s about a change of outlook and meticulous ongoing maintenance.
A PCI DSS assessment is like an MOT; it only applies to a given moment in time. Picture this: your car passes its MOT in the morning but on the way home something – even something minor – occurs that renders your vehicle technically un-roadworthy. You know that if you took same car to the same garage at 5 o’clock on that very same day, it would not pass the test and would no longer comply with the Road Traffic Act. Although you would hold an MOT certificate in your hand, it no longer reflects the state of your vehicle. Ongoing maintenance is required to keep you safe.
In the same way, PCI DSS compliance requires ongoing maintenance. Of course, we all know that there are some for whom simply ticking the box on an annual basis is their modest ambition. But, like the driver with dodgy brakes, they are almost certainly heading toward disaster. They may be only one ill-conceived change of control request away from non-compliance.
Others have been working toward compliance for a long time and have a fully mapped programme of work spanning several years. For these companies, their QSA is like a good mechanic; they not only work to achieve compliance but also offer guidance in security best practice, using their experience to help design policies and procedures that will stand the test of time.
So, what guidance would a good PCI DSS mechanic give you? Given the fact that every business is different, they would certainly tailor a programme of activity to meet your specific needs. But, the principles of good practice remain constant and an awareness of these will stand you in good stead.
Firstly, know your environment. To do this, you should maintain an Information Asset Register so that you know what data you have access to and where it is. Use this information to feed an Information Management System and devise a Payment Strategy to ensure that all payments are accepted and processed in a standardised way. If you know your threat profile, you should exert maximum effort in these areas first but it is also important to establish a Security Diary to make sure that tasks are assigned and performed as required throughout the year.
Compliance should not ever be seen simply as a tick box exercise. In fact, certain requirements can actually help to improve working practice and add value to your business. For example: System Hardening Profiles can, in certain circumstances, be automated so that new servers or devices can be deployed quickly and securely; regular maintenance and patching can provide a more stable environment with less risk of failure and greater security; staff with a better understanding of data security are likely to be able to identify problems more effectively and before they become service affecting; diarising what some term as Audit Tasks throughout the year ensures stability and identifies issues in a timely manner, rather than just at MOT time.
For those who have met the PCI DSS standard, there is, of course, the requirement for ongoing re-assessment. There are some differences between the requirements for the initial PCI DSS assessment and those for re-assessment, principally a need to provide evidence to demonstrate activity throughout the preceding 12 months. For example, there is a requirement to show how System Patches are risk assessed and applied as well as how you have assessed and ranked Security Vulnerabilities as they have been discovered.
Re-assessment also requires evidence of at least two firewall reviews as well as how Cryptographic Key changes and Change Control Logs are used to support many aspects of compliance throughout the year. In addition, you must show evidence of how access is granted, amended and removed for users; provide 3 months of recorded data for review and a log must be in evidence detailing all visitors to the site within the previous 3 months.
For re-assessment, logs are also required to show the tracking of information for all media containing payment data; for logging data, 12 months of records are needed and for the System Audit Process there needs to be evidence of how the logs are reviewed and what actions are taken as a result. There are additional results and reports required to be available for review relating to Wireless Scanning, Internal Vulnerability Scanning, Penetration Testing, Policy and Document Reviews and Incident Logging and Response.
Perhaps inevitably, when the requirement for ongoing maintenance of your PCI DSS compliance are so prescriptive, there are a number of common issues that, if diligently planned policies and procedures are not being followed, may occur to jeopardise repeat assessments. Often staff are not accountable and, as a result, various tasks are not completed. For example, if six-monthly Firewall Reviews are not diarised and no one has been specifically allocated the task, who will remember?
Guidance from a QSA will assist with many of the common problems. Where payment procedures have been introduced that are at odds with the established methods for processing card data, a defined payment strategy is helpful. When there is a risk of critical patches not being risk assessed or applied within the 30 day window, a robust patching procedure is essential to limit exposure to risk. Expert advice will also help streamline processes for vulnerability scanning and the storage of unencrypted card data, which can all too often be found on desktops and servers.
PCI DSS compliance should not be considered an onerous or unnecessary burden, however. If taken to the heart of an organisation it can bring with it untold benefits in terms of efficiency and staff morale. Yet, not surprisingly, few could confidently navigate their way through PCI DSS compliance without the occasional slip up, no matter how much continuous effort they may exert. This is where input from a professional is key. Just as few of us would undertake complex maintenance or repair jobs on our cars (or motorbikes), there are times when it’s best to call in an expert.