Merchants are no stranger to the Payment Card Industry Data Security Standards, but a new version of the data protection regulations is on the horizon. PCI DSS 3.1 officially goes into effect on June 30, 2016, giving these businesses some time to prepare their SAP environments for the impending changes.
According to Park Foreman, principal security architect at GTT Communications – writing for Point of Sale News – the biggest difference between v3.0 and v3.1 is that the latter introduces new rules for auditing. Specifically, Foreman called them “stricter,” explaining that auditors have gone through additional training to ensure they are especially familiar with examining paper trails. In some cases, Foreman said that auditors will need to pay more attention to PCI sub-requirements, and if merchants aren’t careful in that regard, they could face stiffer fines than ever.
What better time to review the PCI audit assessment process than now? With auditors cracking down and new regulations only a few months from enforcement, businesses need to be sure that they’ll pass their new audit – giving credence to the mantra, “Preparation is half the battle.”
“Start by identifying the scope of PCI compliance in CDEs.”
PCI compliance. Starting at the top.
The best place to begin a pre-audit assessment is with recommendations from the PCI Security Standards Council. In the organization’s announcement of v3.1 standards, the PCI SSC said to identify the scope of PCI compliance. In other words, merchants should determine which of their IT systems must comply with PCI DSS – defined by SSC as any “components included in the or connected to the cardholder data environment.” And the CDE covers hardware, software, and wetware – or people – that process, store, send, or receive payment card and other sensitive data.
To identify that scope, there are a series of questions that merchants should ask themselves. On Information Management, Yoran Sirkis, CEO of Covertix, listed 13 key questions. Some include:
- Where is payment card data created and where does it go from there?
- Where are those systems physically located?
- Who can use that data – with respect to individual roles and business departments?
- How secure should the information be?
- Are cloud services involved, and what responsibilities do those companies have over data protection?
There are sometimes resources available for merchants to get some assistance with PCI audit assessments and scope identification. For example, an anonymous Security Manager under the alias of Mathias Thurman wrote an article on Computerworld and explained that network and data flow charts, as well as compilations of the hardware and software that businesses are using and sometimes employee master lists can all make determining PCI scope easier.
Scan and test integrity
Once PCI scope has been identified, merchants must move on to assessing the systems themselves. As Thurman said, there are over 400 controls to look at, but in his experience, security incidents and event management infrastructure are usually soft spot as well as configuration management. If that’s the case – or even otherwise – merchants should always scan for vulnerabilities and perform intrusion tests to vet the integrity of the entire PCI-compliant environments. After all, if an IT team can identify potential security gaps or outdated software, the holes can be plugged and systems can be upgraded.
In fact, under v3.1 of PCI DSS, more frequent penetrating testing will be required, so if merchants start now, they’ll have a better idea of how to regularly perform those internal and external assessments when they actually matter. Not that this practice isn’t important now, but with respect to PCI audits, businesses do not want to fail in front of an auditor.
At this point as well, merchants should ensure all of their monitoring systems are in order. Thurman explained that many businesses get burned by auditors when those individuals discover that there are no logs or reports. Thurman goes to great lengths to guarantee that he has records of every event that has ever occurred before headed into a PCI audit.
The paper trail
This leads to another phase of pre-PCI audit assessment: documentation collection. Merchants need to create and present a paper trail of their policies and procedures, hardware and software configurations and adjustments, backup strategies, and security scans and reports. Hopefully, businesses have been collecting those documents over the course of the year, but if they haven’t compiled them in one place before, pre-audit is the best time to create a folder to store them all.
Compliance does not equal security
In a separate article, Thurman asserted the importance of his new motto: “Compliance does not equal security.” Just because merchants have checked all of the boxes on their PCI compliance checklists does not mean that a breach is impossible. PCI DSS is merely a list of standards and decided best practices, but every day, new threats are discovered and new technologies to solve yesterday’s problems emerge. Therefore, businesses should go above and beyond compliance, making an audit process a minor annoyance.
“Remove as much scope from their IT environments as possible.”
Reducing PCI scope
A great way for merchants to make PCI compliance easier is to remove as much scope from their IT environments as possible. Businesses can ensure that only specific roles are accessing certain data and that all unnecessary technologies are taken out of employee workflows. Merchants can also remove scope by leveraging technology. With cloud-hosted payment processing solutions, those service providers must ensure compliance, not their clients.
Tokenization can also remove PCI compliance scope. By obfuscating payment card and personal data with tokens, merchants can allow data to flow a bit more freely without the worry of a data breach. That isn’t to say that tokenization lets organizations become laxer over data security, but rather it makes conducting digital business less stressful.
PCI audits are definitely a scary process. Merchants must prepare or they could catch themselves incompliant and on the hook for fines and fees. By remembering some of the tips explained above, businesses can prevent a lot of heartaches.