The acronym ‘ QSA ’ and the term ‘audit’ evoke images associated with fear, anxiety, anger, confusion, expense, exhaustion, and the list can go on. How about ‘hacker’ and the term ‘breach’? Do they conjure up images related to nightmare, exposure, penalty, loss, downfall…? Clearly, we all know who the enemy is and retailers should truly panic only about the never-ending impact of a breach.
A QSA’s job and intentions are not to intimidate but to partner with the retailer by making sure that security is preserved in a business’s card data environment (CDE). With this premise, let’s begin an organized exercise.
What should the retailer expect before bringing in a QSA?
The retailer should expect requests for:
- Policies – Written policies detailing how data is protected, log reports to support them, and evidence showing that what is written in the policy is indeed what’s followed in practice.
- Documentation – Step by step written documentation with proof they are followed.
- Network diagrams, infrastructure, connected devices, wireless connections.
- Review of technologies used such as – firewalls, routers, switches, web servers, application servers, anti-virus, anti-malware, secure remote control access solutions, file integrity monitoring, etc…
- Detailed logs from all store systems, devices and servers.
- All applications, hardware and software that are in scope in the card data environment (CDE)
- Lists of third party vendors.
- Ongoing records such as internal and external vulnerability scan results for the last few quarters.
- Access to all areas of the business – both physical access and access to documentation/proof of everything listed in the Information Security Policy.
- Incident Response Plan with evidence of execution
- Knowledgeable, dedicated personnel to answer the QSA’s questions.
How should the retailer prepare for the above requests?
Here is a comprehensive list to follow:
- Start by compiling a list of tools and technologies in your infrastructure.
- Do a gap assessment by partnering with a reputable company.
- Get the help of a Security Strategist who knows how to prepare for a QSA audit – remember technology is only a piece of the puzzle. Trained and knowledgeable people are as important to solve this puzzle.
- Understand the scope of your CDE and the perimeter of your payment card network.
- Be prepared with logs to show at every step of an audit.
- Have an information security policy to use as a guide to help you maintain your company’s data security and PCI Compliance. Also, a security awareness program in place as a way of providing ongoing education to employees who deal with data security and to everyone who has access to company confidential data.
- Pay attention to physical security as well. Limit the important areas to only personnel who need access to them.
- Have a verified, well-documented change management process.
- And, last but not least – maintain and follow strict password usage policy, and use methods such as encryption, truncation, masking, and hashing of cardholder data.
What should the retailer keep track of?
Logs, logs and more logs. The list includes,
- Logs of all accesses to CDE (CDE), pass or invalid attempts
- Logs of actions following the login
- Logs of every patch session and critical update
- Logs of anti-virus and anti-malware updates
- Logs of all events and activities
- Logs of remote control session
- Logs of firewall activity
- Logs of file-integrity monitoring
- Logs of every event that takes place in the CDE
All logs should be centralized, maintained for at least 365 days on a rolling basis and you should be generating alerts for critical condiions.
It’s not that bad
Keep faith that if you have done at least 50% of the prep work for the first year of an audit before your auditor comes in, you will be able to address the rest with the help of an experienced, reputable Managed Security Service Provider. This is inclusive of a pre-audit gap assessment. Year one is essentially a learning experience. By year two, the data security team would know what to provide the auditor, how, and what to prepare for the next audit.
Finally, do not try to get out of a situation by lying to the auditor, providing excuses or arguing. Be direct and ask the QSA for help with clarifications and ambiguous statements that you are likely to come across in the requirements document. A Good QSA will gladly help. It pays to do due diligence and research on finding that good Qualified Security Assessor.
Call us for questions or guidance for your compliance audit at 636-557-777. Omega has both the experience and reputation to help you. As a Level 1 certified Managed Security Service Provider Omega works with the retailers’ best interests in mind and can lead you to a successful completion of an audit every year.