PCI DSS Compliance: An Overview
The Payment Card Industry (PCI) comprise all credit card providers including Visa and MasterCard. These entities are required to uphold the integrity of the cardholders’ information to prevent any breach. To achieve this, the PCI Security Standards Council (PCI SSC) has formulated standards contained in an over 100-page document.
While complying with the PCI DSS requirements can be overwhelming, it is necessary since it’ll enable you to develop stringent measures to store and protect the cardholders’ data.
PCI Compliance Scope
When complying with PCI DSS, the process of determining the scope is crucial. You should start by defining the cardholder data environment (CDE). The CDE consist of all the sections and equipment in your organization that’s involved in handling, storing, or transmitting cardholders’ data or any other sensitive authentication data. This may include all your computer devices, servers, network devices, and any other application handling the data. Below are specific examples:
- Anything linked to CDE
- Virtual components including routers, machines, switches, and other appliances
- Security and segmentation services
- Network components
- Internal and external applications
- Servers
Also, your organization should verify the reliability of your compliance reporting systems to ensure that all the vulnerabilities are appropriately managed.
Should I Have Network Segmentation to be PCI compliant?
Network segmentation involves the isolation of cardholders’ data from any other data in your organization. While this is not a PCI DSS requirement, it is necessary since it will ease the implantation process and significantly reduce the risks.
When your network is non-segmented, the regulatory body will review everything in your organization which can be overwhelming. As such, you should ensure that you only have the cardholders’ data in minimal locations and prepare a document to indicate the exact places where the data is stored.
Finally, you must prove the segmentation by verifying all the systems involved in transmission, storage, and processing. Ensure that you include experts in the process to prevent complications.
Fitting Wireless Networks into PCI Compliance
Any network systems involved in handling individual cardholders’ information should always be tested as CDE. This may occur including WLAN, websites, and line-busting technology. PCI DSS compliance is less troublesome when you integrate wireless technology into your system for all your non-sensitive data.
Can I Use Third-Party Service Providers for PCI DSS Compliance?
Third party providers pose a significant risk to your data. As such, you should vet all the providers adequately before admitting them. Also, ensure that they sign a contract that will clearly show the areas that they will cover in ensuring PCI DSS compliance. Use the following methods to evaluate the third-party’s compliance:
- Independent annual assessments
- Numerous on-demand assessments requested by each client
If the providers decide to perform their annual assessment, it’s your responsibility to evaluate their compliance.
Best Practices Involved in Implementing PCI DSS into Business-as-Usual Processes
When you comply with all the PCI DSS requirements strengthens your business processes. According to PCI, you can use the following ways to comply:
- Frequently monitor all the operations
- Ensure you have mitigation controls in place
- Review all variations on CDE by:
- Analyze the PCI DSS requirements triggered by the variations
- Always update your scope and controls
- Evaluate the impacts of organizational changes
- Perform continuous compliance tests
- Always review all your software and hardware. Also, ensure that your vendors comply with PCI DSS requirements
How a Qualified Security Assessor (QSA) Should Sample Business System Components?
If your organization is highly delocalized, you should randomly sample your components to be subjected to the PCI DSS audit. However, you should be careful to ensure that your entire CDE complies with the regulations. As such, you shouldn’t ignore some sections that you dislike during the sampling process. The analysis should include the physical facilities and all the hardware and software components. The samples should be large enough to give an accurate representation of the entire landscape. During sampling, you should consider the following:
- The sample can be smaller only when your systems are highly centralized, and you have standard control processes. If otherwise, you should use a relatively big sample to prove PCI DSS compliance.
- If each segment has a different way to operate, you should ensure compliance of all the process
- If your organization handles the compliance process independently, you should do the best to use a larger sample to encompass all your facilities
- Every type of combination that you use in your system must be reviewed. As such, you should ensure that your different types of hardware, platforms, and applications are documented
Immediately after selecting the sample, ensure that you do the following:
- Document your decision-making processes (include the components, sample size, and location)
- Document and verify the sample types (location, business area, and organization’s standards)
- Describe the reliability of the samples
Compensating Controls
You should ensure that you review all your controls and align them with the PCI DSS compliance. Ensure that you’re conversant with all the details of information storage locations before you begin the compliance processes+F2.
Author Bio
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity's success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.