Lessons from the Trenches: How You Can Better Prepare for a PCI 3.1 Assessment

It is widely known that the breadth of changes from Payment Card Industry Data Security Standard (PCI DSS) version 2.0 to the current version, 3.1, has increased the time and effort necessary to conduct an assessment. What is less understood is that the prep work required of your organization before the audit even begins has also become more prescriptive and time-consuming.

To help organizations more effectively ready themselves for a PCI DSS 3.1 assessment, we reached out to our team of Trustwave qualified security assessors (QSAs) in the field. These men and women with deep experience conducting PCI audits offer you these five helpful suggestions:

Assign an owner for the process

A first step toward PCI compliance is to assign responsibility for the process and development of a timeline to someone in your company. Midsize companies that don't have a dedicated compliance officer or compliance team should identify a lead person to read and understand the latest version of the standard, PCI DSS 3.1 (PDF), and determine the company's timeline for completing compliance validation. The designated person should consider the ramifications of the new requirements and work backward from there to form the compliance timeline. In addition to the PCI DSS 3.1, the template for Report on Compliance (PDF) - available for free on the PCI Security Standards Council (SSC) website - will tell you what your QSA is going to need in terms of documents to reference, individuals to interview and things to observe.

Identify recurring requirements

The PCI DSS calls for multiple recurring activities that must be performed. The PCI Security Standards Council, which manages the requirements, is increasing its focus on recurring processes and the fact that compliance isn't a point-in-time activity, it's built on solid security and compliance monitoring practices that you perform all year. The aforementioned reporting template can help you identify the processes that must be regularly completed for review by your QSA (for example, the quarterly internal and external vulnerability scanning, semi-annual firewall review and annual penetration testing).

PCI DSS 3.1 has more specific guidance and requirements about some of the mandated recurring processes. For example, specified aspects of penetration testing took effect on June 30. To learn more about them, you can go to Section 11.3 of the reporting template to understand the details of the new penetration testing requirements that your QSA must review.

Developing and maintaining a schedule for all recurring tests and other activities for your organization emerges as a key capability for maintaining a secure posture and being able to demonstrate compliance. Evaluate the compliance processes that must occur throughout the year and assign an owner within your organization to make sure that they occur as planned.

Fully scope and document your cardholder environment

Before you bring in your QSA to begin the PCI assessment, make sure that you understand the scope of your environment, which includes the flow of cardholder data, all the locations it may be stored and any connected systems that impact the cardholder data environment (CDE). This must be done at least annually.

Evaluating the scope accurately is critical because it is the first thing your QSA will review. If areas that need to be included are left out, the assessment process may have to stop. To define your PCI DSS scope accurately, follow these steps: 

  •  
  • Identify and document the existence of all cardholder data in your CDE 
  •  
  • Verify that no cardholder data exists outside your defined CDE. This step is easy to overlook - but is critical 
  •  
  • Verify and document your PCI DSS scope with diagrams or an inventory of cardholder data locations 
  •  
  • Take action to ensure the integrity of your CDE. For any cardholder data found outside the defined CDE, securely delete it, migrate it, or redefine your CDE to include this data 
  •  
  • Maintain this documentation of the scope determination for QSA review

Document your network

Another key responsibility for you in preparing for your assessment is ensuring that your network diagram is current and includes the necessary details required for PCI DSS 3.1 compliance. Be sure to include how any network segmentation is implemented, specifically which individuals and groups have access to what kinds of information and how that segmentation is accomplished. Make sure that no one has access to cardholder data unless necessary. For example, the data that the HR team is able to access should be different than the access granted to the Help Desk. Consider additional layers of protection to ensure appropriate access controls.

Another network topic is the use of secure protocols. PCI DSS 3.1 requires that organizations replace SSL and early versions of TLS protocols as soon as possible and no later than June 30, 2016. Until then, your network diagram should include documentation of where and how the SSL and early versions of TLS protocols are being used. You also must be able to provide a Risk Mitigation and Migration Plan (a template for which can be found here). This document needs to detail your plans for migrating to a secure protocol and also describe controls you have in place to reduce the risk associated with SSL/early TLS until the migration is complete. Provide the plan both to your QSA and approved scanning vendor (ASV) if your external quarterly scans have detected any implementation of SSL or early TLS protocols.

Document the responsibilities of partners

The updated PCI standard requires you to clarify your roles and responsibilities with your service providers and third-party vendors. You need to explicitly map out who has responsibility for addressing the specific requirements in areas where you use service providers. When you have purchased managed services, you must understand how you are working with your service provider to address the required security controls.

PCI DSS compliance is ultimately your organization's responsibility, and achieving a secure, compliant posture goes beyond completing an annual assessment. Trustwave can act as your trusted advisor to assist you in establishing the tools and processes necessary to be secure and compliant.

UPDATE (Jan. 19, 2016): The Payment Card Industry Security Standards Council (PCI SSC) announced in December that it is extending the migration completion date to June 30, 2018 for transitioning from SSL and TLS 1.0 communication protocols to a secure version of TLS (currently v1.1 or higher). The new date of June 2018 (replacing the June 2016 deadline) offers additional time to migrate to the more secure protocols, but waiting is not recommended.

Dixie Fisher is compliance product marketing manager at Trustwave. J. Andrew Brinkhorst, director of product management for global compliance and risk services at Trustwave, co-authored this post.

 

 

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.