PCI compliance can be just as much about reducing stress as it is about beefing up cardholder security measures. Most organizations want to get their house in order and complete a PCI assessment as quickly and painlessly as possible.
At our recent PCI Expert Summit, RSI Security’s own Peter Phaneuf conducted a session entitled “Documentation: How to Streamline Your Assessment in 12 Weeks.”
Peter advised that the key to getting through an audit in 12 weeks is document and evidence preparation. Here’s how Peter recommends using documentation for each requirement to streamline your PCI assessment.
Requirement 1: Install and Maintain a Firewall Configuration
The first step you’ll need to take is implementing a strong firewall. Peter recommends that you adopt a change management policy for installing a new firewall, in addition to formulating a firewall policy with clear roles and responsibilities.
Requirement 2: Vendor-Supplied Default Passwords
To make PCI compliance go as smoothly as possible, Peter recommends that you audit and address vendor-supplied default settings on all your hardware devices and software applications. Configuration standards should be clearly detailed in your infosec policy.
Requirement 3: Protect Stored Cardholder Data (CHD)
Peter recommends providing details of what CHD is stored, where it’s stored and how it’s rendered unreadable. Employ tokenization, hashing, truncation and cryptography. Your policy should have details of algorithms, protocols and key strength.
Requirement 4: Encrypt Transmission of CHD
A CDH flow diagram will identify components and transmission paths, so you can effectively encrypt all data transmission. Your policy should document all encryption methods as well as address the prohibition of end-user messaging technology.
Requirement 5: Protect Systems & Update Anti-Virus Programs
Your infosec policy should detail what type of anti-virus or malware software you use. If you use Linux, your policy should state what source is used to check for security updates. You should provide a sample of antivirus logs and screenshots of settings showing anti-virus is active.
Requirement 6: Develop Secure Systems and Applications
Every organization should have a software development policy that addresses the development and deployment of internal software applications. Your policy should address your patching schedule and you always scan and review results after patches are applied.
Requirement 7: Restrict Access to CHD by Need to Know
Access to your critical systems and data should be restricted only to personnel who require said access to perform their business functions. Therefore, your infosec policy should define role-based access requirements. Again, keep access control screenshots for easy documentation.
Requirement 8: Identify and Authenticate Access to Systems
Your infosec policy should cover all key items for access management. Include unique IDs, inactive accounts and session timeouts. Only admins should have direct query access, and multi-factor authentication (MFA) should be used for all non-console and remote access.
Requirement 9: Restrict Physical Access to CHD
Since many businesses are cloud-based, so you’ll want to take adequate precautions in protecting your cloud hardware drives. Make sure to collect evidence that you’re implementing proper access controls like badges, and revoke permissions for terminated employees.
Requirement 10: Track and Monitor All Access to Network and CHD
The more logs you collect and organize, the smoother your PCI compliance efforts will be. Verify all required items, from user IDs and event types to system and resources names. Write up the sync architecture and include it in your infosec policy.
Requirement 11: Regularly Test Security Systems and Processes
Your infosec policy should describe how wireless systems and routers are used and protected throughout your technology infrastructure. Include the incident response plan provisions for dealing with breaches, and conduct quarterly vulnerability scans.
Requirement 12: Track and Monitor All Access to Network and CHD
Finally, you’ll want to collect and provide evidence of adequate security training on an annual basis. This ensures that all access to your network and CHD are authorized. Also be able to provide evidence of adequate background checks for new employees.
Streamlining your PCI assessment can be done, and compliance doesn’t have to be a headache. Just make sure to follow Peter’s 12 step process, and work with a certified PCI compliance partner like RSI Security to get you headed in the right direction.