Author: Nitin Bhatnagar
Understand and Implement Effective PCI Data Security Standard requirements with choosing a good standing Qualified Security Assessor (QSA) recognized by PCI-SSC Council.
With a recent global card fraud of $45 million impacting many Indian and International bank which is said to be linked with hacking of large card processor in the U.S and India has raise an alarm to the entire industry that we have to re-think on security and not just compliance –Card processor were said to be following the Payment Card Industry Data Security Standard, Also known as PCI-DSS, is intended to safeguard cardholder data. However, still the majority of the companies are not in full compliance with the PCI-DSS standard. PCI standard is very effective in reducing breaches if we understand the intent behind each requirement and implement them smoothly with the support of good standing Qualified Security Assessor in the market.
“Security and not just compliance” – As an industry security specialist we should accept the fact that we have missed behind the importance / need of information security and have started focussing on just compliance with compromising on security with the cost, technical expertise and lack of adaption with new technologies.
Payment card processors/ Merchants/ Banks/ Payment Gateways are usually expected to comply with the Payment Card Industry Data Security Standard (PCI-DSS), a code of security best practice designed to guard from external and internal attacks and thwart hackers to penetrate into the network, database, and application servers from obtaining card holder details.
Payment Card Industry Data Security Standard (PCI DSS) is an information security standard aimed at creating an additional level of protection for card issuers/ Acquirer’s by ensuring that merchants /Third Party Payment Processors and Payment gateways meet a minimum level of security while they are storing, processing and transmitting cardholder data.
The PCI-DSS audit should be always seen as a security consulting assessment, rather than just an audit to achieve a certificate. Successful engagement starts with choosing the right Qualified Security Assessor, Organization should select someone who influences you with their competence and have bandwidth to work well with your team. We should never hide any facts or past history from our Qualified Security Assessor.
We need to keep a tap on few things that needs to be considering while we are hiring a Qualified Security Assessor to conduct the PCI-DSS audits.
Five Finest steps to select a Qualified Security Assessor (QSA)
Firstly and foremost, it is vital to research on identifying a Qualified Security Assessor organization that has a good standing in the market. Verification can be done from PCI-SSC website. Avoid going with the lower cost Vendor. A Qualified Security Assessor with a higher proposition might actually end up saving you money in the long run.
Secondly, Reference check on a Qualified Security Assessor Organization from companies that have experience in your industry with working with them will help you a lot in taking a concrete decision.
Thirdly, If your existing vendor guarantee you that you will be compliant within 6- 8 months’ time and put a certain date, you need to be cautious about that person/company immediately. If you select them and if a breach happens, you are the one who will be held responsible for the breach and damage will be to your company’s reputation and market share.
Fourthly, Engagement should be such where Qualified Security Assessor – Consultant has to be onsite dedicated for conducting the assessment and providing the remediation support to the organization in order to achieve the success rate of getting the organization compliant on other side some of the work like Drafting and Reviewing the documentation can be done remotely. It is advisable to have a local Qualified Security Assessor which helps you in avoiding the extra top up cost of travelling with flying in QSA consultants adding a cost implication on the project.
Fifthly and Lastly, You should interview Qualified Security Assessor face to face and identify the following security specialists qualities that he/she should possesses
- Having the ability to think logically and analyse complex problems
- Be decisive, creative and flexible
- Problem-solving not a problem creator
- Trustworthiness and Reliability
- Ability to communicate other stakeholders in organisation and also must have project management skills.
- Have an intense interest in keeping up-to-date himself/herself with new developments in technology.
How to obtain PCI DSS compliance
PCI DSS Requirement 3 details technical guidelines for protecting stored cardholder data. Bank/ Merchants/Service Provider should develop a data retention and storage policy that strictly limits storage amount and retention time to that which is required for business, legal and regulatory purposes. Sensitive authentication data must not be stored post- authorization (even if it is encrypted).
Stage 1 – How to get started with PCI-Compliance Audit – Detailed Scoping
One of the primary stepladders in PCI compliance is to document flow of the cardholder data information. Cardholder matrix has to be prepared for different application, system, and network components. It is very essential to document all cardholder data flows prior to beginning any assessment activities.
Also, It is very important to review any past history of any breach, investigation conducted by PFI or any external third party for any internal/external fraud , also review on Internal Information Security Audit Reports are required.
Stage 2- Reduction in Scope
Golden rule to achieve the PCI compliance is to limit the scope of the audit. In order to limit the scope you require attentive review on network architecture/design and detailed documentation of cardholder data and application flows.
This is will help business to achieve/maintain the PCI-Compliance in a long run. Challenges an organization can face if the scope is not reduced, complete network, System components and card information flow through application in your environment is subject to come in purview of PCI audit and requirements.
Stage 3- Gap Assessment and Implementation
Upon establishment/assurance on the scope we have to conduct the Gap assessment. Next step is to validate whether we are satisfying with all the PCI-Requirements.
Build a remediation plan to address non-compliant findings with help of Qualified Security Assessor. Implement required controls, Update/ Modify policies and procedures, Modify information Security Policy, Validate third party compliance status if card related processing has been outsourced, proper network segmentation, Review Application Testing Reports and Incident Response Reports.
Implement File Integrity Monitoring on log servers, IDS/IPS systems at the perimeter to monitor traffic in the Card holder data environment.
Stage 4- Perform Wireless Scan/Vulnerability Assessment and Penetration Testing (Internal and External – Both Network and Application Layer)
Create a process for wireless scanning. The method used must be “adequate” to detect and identify un-authorized wireless access points (rogues)
Internal and External vulnerability scans (Quarterly Basis) should be performed and issues identified have to be remediated immediately. Re-Scans should be done until passing results are obtained with all “High” Vulnerabilities resolved. Internal and External Penetration Testing (Annually) Exploitable vulnerabilities found has to be taken seriously and remediated immediately.
Stage 5- Validation of PCI-Compliance
Invite Qualified Security Assessor to conduct an onsite review, and/or complete the self-assessment questionnaire based on you Merchant/ Service provider level. Submit the Report on Compliance or Self-Assessment Questionnaire, with Attestation of compliance to your acquiring bank (for merchants) or to Visa (for service providers).
Stage 6- On-going Compliance Supervision and Stay Complaint
Maintenance of security controls laid down has to be ensured that they have been followed for on-going compliance. “Safe harbor” is a defence for organizations which organization can demonstrate that they were in complete compliance with the PCI DSS standard at the time of a breach.
Proactive footsteps has to be taken towards the compliance with RBI circular dated 27-02-2013 and Payment Brands (VISA/Master Card) mandate with planned milestones at the earliest with Establishing, Controlling and Monitoring Security posture with enhancing and cultivating the information security best practices related to card data in your organization and timely initiation of the exercise will help attain customer confidence, avoid financial losses, law suits and non-compliance fees.