Preparation for a PCI DSS Audit

As noted in my last article about PCI DSS(Payment Card Industry Data Security Standard), it is an information security standard for organisations that handle branded credit cards from the major card schemes. PCI DSS is the worldwide Payment Card Industry Data Security Standard that was set up to help businesses process card payments securely and reduce card fraud.

Visa, Master Card, American Express, and other payment card issuers defined the PCI-DSS as a worldwide standard to prevent fraud and reduce the possibility of unplanned exposure of credit-card information. In general, this standard applies to all organisations that process information from any payment card that is branded by one of the issuers who were involved in creating the standard.

Organisations who want to prove that they comply with the standard must undergo a formal assessment. Depending on how many transactions the organisation processes, this assessment is done either by the organisation itself or by an external Qualified Security Assessor (QSA). https://www.securitymetrics.com/pci-audit

To perform an internal assessment, an organisation must complete a PCI-DSS Self-Assessment Questionnaire (SAQ). QSA's perform external assessments as formal audits, and, in many cases, use automated tools to probe the organisation’s applications and networks for weaknesses. Even though compliance with the PCI-DSS is not enforced by a governmental body or even the PCI Security Standards Council, organisations that fail to comply can lose their ability to process credit-card payments or face financial penalties that the credit-card companies themselves can levy.

Payment Card Industry Data Security Standard(PCI DSS) audits are often seen as a very necessary evil. But PCI DSS auditors want you to succeed in compliance and data security.

Securitymetrics QSA's recommendations on how to save time on your next PCI DSS audit and maintain PCI compliance:

https://www.securitymetrics.com/static/resources/orange/how-to-prepare-for-PCI-DSS-audit-ebook.pdf 

1. Maintain an accurate network diagram

Accurate network diagrams are vital because they show how your systems interact with card data. Systems in your network that store, process, or transmit card data need to be properly secured and separated from other systems on your network.

Many merchants have big flat networks with a firewall at the edge, but that’s it. Everything inside the network is connected with each other. Flat networks make securing card data extremely difficult because your entire network is in scope for PCI.

To avoid network problems, you should create a diagram that shows how cardholder data enters your network, the systems it touches as it flows through your network, and any point it may leave your network (e.g., sent to a payment processor). You will want to maintain a diagrammatic representation for each card flow that exists. Some businesses will have just one flow, but you might also have an additional flow if your website processes payment cards.

The purpose of the flow diagram(s) is to help you understand which systems store, process, or transmit cardholder data. You can examine your actual network and decide how it fits into your card flow diagram(s) by asking yourself:

• How is my network constructed?
• Is there one firewall at the edge of my card-processing environment?
• Is my network segmented internally?
• Does my environment have a multi-interface firewall?
• Do I have multiple firewalls?

You can then make adjustments to your network to make sure it’s properly set-up.

2. Don't assume you are automatically compliant

PCI DSS is an always evolving standard. It’s designed to ensure businesses that process, store, or transmit payment card data implement security practices to prevent cardholder data theft. Since starting in 2006, the technology and business world have gone through extensive changes, and PCI DSS has needed to evolve to meet security concerns. For example, when PCI DSS was first established, merchants did not widely use mobile devices to accept card payments.

On January 1, 2015, PCI DSS 3.0 went into effect and has already been revised. Merchants had until June 30, 2016 to become compliant with PCI DSS 3.1 standards. With a continuously updated standard, you cannot assume that once you are compliant with PCI DSS 3.1, you will be PCI compliant for the next couple of years that follow.

Paying attention to your PCI scope is also vital for your business. Incorrectly identifying PCI scope is a common compliance issue. The PCI DSS defines your scope as “all system components included in or connected to the cardholder data environment” (i.e., people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication). Reviewing your scope is important to know if you need to change business policies and practices.

If you change the way you process cards, or plan to make adjustments to your cardholder environment, consult with your QSA to see the impact it will have on your PCI DSS compliance.

3. Understand your risks

A risk assessment should occur at least once annually and after significant changes in your network because it identified threats and vulnerabilities that could negatively affect your business. Risk assessments help you avoid breaches by keeping you up-to-date with current trends, technologies, and threats. They also provide you with direction on what your next compliance efforts should be.

Addressing vulnerabilities, in particular, decreases the time an attacker can compromise the system (i.e., window of compromise). Vulnerability management plans, which identify antivirus software, patch management, coding, and control changes, are particularly helpful. This plan helps identify, classify, remediate, and lessen future instances of vulnerabilities.

Remember, just because a system is vulnerable, doesn’t mean it’s exploitable, or even likely to be exploited. Some vulnerabilities may require such a large number of pre-conditions that the chance of a successful attack occurring is virtually none. Identifying (per the guidelines of PCI DSS requirement 6) the differing levels of exploitability should help an organisation prioritise the actions it will take in enhancing its I.T. security based on each identified vulnerabilities perceived threat and risk level.

4. Internal examination

Onsite PCI DSS audits and forensic investigations reveal scenarios that are non- compliant with PCI DSS security requirements. However, QSA auditors don’t fix every possible problem with your network; instead, they show you what is wrong with your network and ways to become PCI compliant.

PCI compliance is not an overnight task. An audit goes much more smoothly if you test your own systems throughout the year and correct any errors. Think of compliance like brushing your teeth, and an audit is similar to a dentist’s checkup.

A dentist can tell you if and where you have cavities or other problems, but a dentist won’t be able to manage your brushing habits between check-ups.

Regularly examining and assessing your processes is vital to avoid being breached and financial consequences. If breached, you might be liable for a few or all of the fines (depending on the breach size):

5. Talk to your assessor during the year

QSA's often see the full range of merchants’ and service providers’ struggles with PCI compliance. Auditors usually share their knowledge about compliance. They love to see when IT or compliance managers try their best to keep on top of compliance. If you experience a few rough patches, an auditor will gladly help.

Communicate with your QSA throughout the year. Within a year, businesses grow; card data environments change; and PCI DSS requirements are revised. QSA's are a great resource to help you plan ahead for your audit.

Whenever there are significant changes to your environment, you should discuss potential issues or problems with your QSA to avoid the headache of re-implementation. Often times they will give you advice or warning about problems they have seen in their previous audits.

6. Make sure stakeholders are involved

You need to know exactly where card information is being stored, processed, or transmitted. Requirement 1.1.3 requires merchants to have a current cardholder data flow diagrams. Once you know where card information flows/stores and which systems they interact with, you can easily create a card flow diagram to show how data moves within your environment.

After discovering where systems store, process, or transmit cardholder data, business stakeholders need to get involved with new procedures and with general PCI compliance. For example, ask your staff to find other places where data might be hiding or unknowingly stored.

The following areas are common areas and departments that store data:

• Error logs often store unencrypted credit card data because when an error occurs during card authentication or processing, an error log is generally created and often contains the full card data.

Accounting departments usually have processes that store unencrypted data for financial purposes (e.g. refund processes, book balancing, charge reversals).

• Sales departments may unintentionally email or print forms containing credit card numbers.
• Marketing departments may have databases containing transaction data used for market research.
• Customer service representatives may take credit card numbers over the phone or view full card numbers, so watch for handwritten or printed card data.
• Administrative assistants may create a spreadsheet that contains a company’s or an executive’s credit card number for quick access when making payments.

7. Keep documentation updated

Keeping documentation updated can be a pain for most businesses. Some companies or departments may see it as another burden. However, proper documentation protects your organisation, especially by keeping your security processes transparent and in order. Make sure documentation is regularly updated at least on a quarterly basis.

Additionally, PCI 3.0 has added many new requirements about documentation. Some of the new PCI requirements are:

? 1.1.3 requires a cardholder data flow diagram about how cardholder data enters and leaves your network.

? 2.4 discusses creating an inventory list of all your in-scope device types and their function (e.g., POS systems and computers).

? 9.9.1 requires an up-to-date list of all devices, including physical location, serial numbers, and make/model.

? 11.1.1 involves maintaining a complete list of authorised wireless access points and the justification for each.

? 12.8.5 requires a list of all third party service providers used, PCI requirements the service providers handle, and PCI requirements the merchant is required to meet.

Most importantly, you should document when changes occur for your business policies or card data environments (e.g., security policies, software/hardware, firewall/router, diagram, etc.). These changes might alter your PCI compliance implementation.

8. Assign a compliance leader

PCI compliance is not just checking yes to all the Self-Assessment Questionnaire (SAQ) questions (even though many merchants likely do this). Actual compliance requires you to implement each of the lined items.

Yes, PCI can be time-consuming and difficult at times. That’s why it’s best to assign a person(Compliance Officer) to be responsible for PCI compliance, and this individual should be given enough resources and time to adequately handle PCI compliance. https://blog.securitymetrics.com/2016/04/system-hardening-standards-pci-22.html

Compliance officers need to be able to challenge and correct business procedures and policies.

In preparation for an audit, compliance officers or project leads ideally have:

? An understanding of audit security jargon

? Transparent and eager attitudes to their questions and suggestions. An already-made PCI audit checklist complete with questions to ask the auditor

? Last year’s ROC printed out for them

? Documentation on how the environment is coping with recent vulnerabilities

? Talked with key stakeholders to help them understand the organisation’s risks

? Checked event logs regularly

? Documentation on how third party security risks are mitigated

? An understanding of PCI DSS 3.1

? An understanding of your PCI DSS scope

Hardening documents that meet PCI DSS requirements

One of the most tedious Payment Card Industry Data Security Standard (PCI DSS) requirements is Requirement 2.2. It involves system hardening, which ensures system components are strengthened as much as possible before network implementation. A hardening document is part of this requirement.

Your QSA auditor wants to know and see that you did your research, and have applied appropriate settings for each system. The auditor compares the hardening document with the current configuration on the system. Any difference between the document and the configuration will result in non-compliance with PCI-DSS.

How to generate a good hardening document that meets PCI DSS requirements:

1. Be specific

Make sure you write a document about how your specific technology is implemented in your PCI-DSS environment. Include all commands configured in your system with their specific valor.

2. Be prepared

Have knowledge of all best practices of industry-accepted system hardening standards like Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS) Institute, National Institute of Standards Technology (NIST). Also include the recommendation of all technology providers.

3. Use references

When choosing the valor of each command, think about all PCI-DSS requirements. It’s useful to put a reference to the PCI-DSS requirement, especially for future document updates.

4. Think big

Do not limit the document to the PCI-DSS standard only. Think of a document that is useful to get your systems in top condition.

5. Use correct data

Last but not least, include the following data in your hardening document: Name and version, date, change control, responsible, modify by, review by, approve by, date of change and scope.

Documentation is key to system hardening. Make sure you update the document when changes are made. It’s important to keep track of why you chose certain hardening standards and the hardening checklists you’ve completed. If you decide to change an aspect of your environment and already have the documentation for existing systems, you’ve cut out hours of time-consuming research.

In conclusion, PCI-DSS compliance should not just be a once-a-year task to check off. In fact, you are required to maintain PCI compliance every second of every day. To help with compliance, keep contact with your QSA throughout the year, especially when you are planning any changes to your cardholder data environment.

Credit: QSA's Securitymetrics

Credit: Gary Glover, Matt Glade, Tod Ferran, Dustin Rich, Michael Simpson, Brand Barney, Trevor Hansen, Thomas McCrory