Just over half the year is over and the time to ramp up compliance efforts for the Payment Card Industry Data Security Standards (PCI DSS) 2.0 is here. The deadline for v2.0 is December 31st, 2014. So, start the process right away. Whether it is the first time audit or an audit to prove continuous compliance, it pays to follow a method.
Here’s a comprehensive guide to help you stay organized. If you have any questions, ask for help.
1. Understanding the environment and gaps – keep it internal
With data security and compliance in mind, do a review of your network, systems and card data environment (CDE). Use your own IT experts if cost is a factor. To avoid guess work, seek an expert’s help, one who has dealt with systems management for compliance.
2. Determining what you have and what is missing
Start by validating your compliance status by completing a self-assessment questionnaire (SAQ). This is an efficient way to go about addressing what you may not have in place for compliance. It will show missing controls in your CDE and also help you decide how to reduce scope.
3. Determining the workload for existing people and understanding the missing skill sets
An IT department might have the resources to dedicate time collecting evidentiary reports and addressing all the gaps before an auditor comes in. Or, the organization might have the resources but not the knowledge to deal with the gaps. In that case, hire a knowledgeable third party to address the gaps.
4. Identifying the corporate systems environment and why it makes sense to keep it out of scope
QSAs inspect home office environments thoroughly if corporate systems such as accounting machines, employee laptops and devices, and HR workstations share the same network as the store systems. Auditors mandate that checks be conducted outside of the systems even if they are segmented. So, keeping corporate environments out of scope will relieve the company of unnecessary security and auditing costs.
5. Dealing with the non-systems requirements in PCI DSS 3.0 – this takes time and requires effort
This applies to employee training and following best practice methods, maintaining policies for physical security, access controls, confidentiality, and privacy of customer information. Detailed documentation is a significant part of v3.0 as well.
6. Creating policies and procedures for stores and IT staff
A major portion of PCI DSS 3.0 involves written policies and procedures that every business has to follow. Compliance to policies is a mandate. If you are a retailer, the expectation is that you will serve your customers in compliance with applicable laws and standards, protect their confidential information and the integrity of their systems, data and networks. Written Information security policies are the only way to adhere to the rules and keep them ongoing.
7. Getting it all ready before engaging a QSA firm
The above 6 guidelines are a must if the goal is to make the process less complex and less expensive. Even hiring a third party to help with the guidelines above will be significantly less expensive than having a QSA come and start the process.
8. The role of Penetration Testing and Risk Analysis, and how to prevent unnecessary costs
Penetration testing is one of the earlier steps conducted by a QSA firm. The intent is to simulate a real-world attack situation with the goal of identifying how far an attacker would be able to penetrate into an environment. This allows an entity to gain a better understanding of their potential exposure and develop a strategy to defend against attacks.
Penetration tests involve money. The best way to save unnecessary repeat costs after a QSA comes in is to do the vulnerability scanning from both inside and outside of the networks after any upgrade or modification on the configuration of an environment so the network is in continuous compliance.
9. The role of Incident Response Plan (IRP) and how to develop one for your company
Having an Incident Response Plan is a requirement for an audit. The purpose of a plan is to help companies react quickly in case of a real incident such as break-ins, breaches, service interruptions and events that could seriously impact the security of the company or the ability to conduct normal business. The IRP for each company will vary depending on what gets classified as incident.
10. Maintaining continuous logs and making sure you have evidence for looking at logs
Ongoing log maintenance is another critical piece to any audit. A QSA will require logs of patching, of all events and activity on the network, all secure remote accesses, firewall; updates of anti-virus, anti-malware, and file integrity monitoring. The logs should be maintained for 365 days. These logging practices should be a normal part of ongoing systems management practices. Logs are important in case of a breach as they record all activities within an environment and can help in identifying the culprit.
11. Need for centralized management for compliance and systems management – compliance versus remediation
Logs need to be centrally managed and accessed. Island stores with individual log data are no longer acceptable. Systems management that is necessary for compliance and remediation needs to be centralized.
12. First time effort can be expensive but ongoing compliance can be cheap
The list is exhausting but it will only be so the first time around. The following years will be easier especially if ongoing compliance practices are maintained. Maintain logs, do quarterly scanning both internal and external, follow the policies to a ‘T’, appoint the tools necessary to keep up with compliance, and remediate issues as and when they are discovered.
13. Continuous compliance is now a requirement for PCI DSS 3.0
Centralized and automated systems management is vital to the continuous and proactive maintenance of compliance. Automation and centralized management, such as what OmegaSecure provides, helps takes care of compliance assessment, monitoring, alerting, and reporting. In addition, it dramatically strengthens protection and reduces the expense and complexity of managing risk, security and compliance.
Call Omega for your systems management, data security or PCI compliance needs. Phone 636-557-7777 or email pci.omegasecure.com.