Does your organization have a good grasp of PCI compliance?
Do you know if your organization has best practice standards in place? If not, you should explore some well-established PCI compliance strategies.
First, it is important to establish a solid understanding of what it means to be compliant. The term PCI compliance is used loosely to describe an organization’s status regarding the requirement to address the control objectives in the payment card industry data security standard or other PCI standard. However, when an organization is trying to communicate this status to its executive management and business partners, it helps to understand the nuances between compliance and validation requirements.
Compliance is not a point-in-time achievement. Each organization that falls under the PCI DSS requirements should work to achieve and sustain compliance with the standard by addressing all the control objectives in the DSS. The PCI DSS includes a comprehensive list of control objectives that an organization must meet on an ongoing basis. The controls apply to the entire card data environment, which is defined by the PCI Security Standards Council as the “area of computer system network that possesses cardholder data or sensitive authentication data and those systems and segments that directly attach or support cardholder processing, storage or transmission.”
Separate and distinct from the mandate to comply with the PCI DSS is the validation of compliance, which has entities that verify and demonstrate their compliance status. Each card brand has prioritized and defined levels of compliance validation based on the volume of transactions, potential risk and exposure introduced into the payment system by merchants and service providers.
The validation exercises are generally a combination of audit activities and technical validation actives. The audit activity can consist of an annual onsite assessment, conducted by a qualified security assessor, or a self-assessment questionnaire. Additionally, each card brand has reporting requirements that direct the QSA, merchant or service provider to submit the appropriate documentation for review.
When looking to achieve compliance and pass an audit, three sound strategies can help limit your card data environment. The advantages to this are pretty straightforward:
- Reduce the risk to card data.
- Reduce the environment you are required to adhere to the DSS.
- Limit the area of the organization susceptible to audit, reducing audit cost and complexity.
Organizations of all sizes have struggled with PCI compliance — this struggle has resulted in the identification of The Big Three. These three approaches have been employed as strategic methods for achieving compliance. While the tactical details must still be addressed within any CDE that remains, picking one or more of these compliance strategies as cornerstones to your program will lead to success.
The first thing every organization should ask when faced with the PCI compliance challenge is whether the cardholder data in question is required for business. Working with a QSA to evaluate data may result in a significant reduction to the scope of your card data environment.
Once you’ve eliminated unnecessary data, each business process remaining should be reviewed to determine whether outsourcing the payment card function is feasible or desirable. In cases where outsourcing can be done with relatively low overhead and impact, it should be considered. Removing or outsourcing payment card processes have an immediate impact on the risk to your business and the cost of compliance.
In general, implementing adequate network segmentation can reduce the scope of the PCI DSS assessment if it isolates systems that store, process or transmit cardholder data from other systems. This segmentation has traditionally been implemented through the use of network firewalls and devices with adequate access control lists such as switches and routers.
This traditional network architecture approach to segmentation is very effective at reducing the risk to cardholder data and the size of your card data environment.
In the real world, it can be difficult to separate business processes and applications into tidy network segments. Inevitably one or more business systems will require access into the payment card segment, opening the architected solution up to scrutiny. Implementing virtual segmentation solutions in lieu of, or in addition to, traditional architecture solutions may be the missing link.
Virtual segmentation can include host-based firewalls, internal VPN tunneling, two-factor authentication mechanisms and more. Using the full spectrum of security controls available to segment the card data environment is worth it when you consider the reduction of risk and cost to the organization.
For some organizations, especially those that maintain large numbers of business processes and applications with access to cardholder data, the options of data removal and segmentation may not be enough or the most cost effective.
Consider in your analysis the idea of simply replacing the card data with a randomized token. If the PAN is no longer associated with the cardholder name, expiration date or other pieces of sensitive information, then it is no longer subject to the PCI DSS.
Many organizations have effectively deployed both commercial and in-house-developed applications designed to accept a credit card number and return another number that looks and acts like a credit card number, but would provide no value to an intruder.
The primary advantages of this option are two-fold. It reduces the location and magnitude of card data stores, and it provides a compliance solution for end-of-life applications. This tokenization process is complex to develop and deploy but effective in remediating disparate and aging systems.
Leveraging one or more of these strategies is the best approach to protecting customers’ card data, reducing risk and limiting audit requirements. Once complete, implementing the tactical controls necessary to comply becomes much more manageable and cost effective. It is a critical first step in most successful PCI compliance remediation programs, and one that will position your organization for sustainable compliance.
This article originally appeared in the June 2010 issue of Network-Centric Security.