PCI-DSS Compliance

PCI is a complex requirement that has an impact on most areas of the business, not just the technical or IT focused locations. Therefore, it is important to make sure that any methodology that is used to service your programme has been tried and tested. PTP’s overall approach and the services it offers to achieve PCI compliance are as follows:

At the start of any PCI programme the most important thing is to understand the requirements of PCI DSS. PCI-Secure has found that the most common mistakes that are made at the start of any PCI DSS programme are:

1. Not understanding payments or payment processing;
2. Misunderstanding the PCI DSS ethos: This is a business obligation with technical controls not the other way round;
3. Not engaging senior management sponsorship;
4. Not engaging key stakeholders from the business;
5. Not forming a governance model and steering group;
6. Misunderstanding PCI DSS terminology and requirements;
7. Failure to evolve as security and the standard changes;
8. Scope of PCI DSS environment is incorrect (technical and process controls);
9. Not removing or reducing the scope significantly enough to reduce the risk or cost of compliance;
10. Not engaging a QSA at the appropriate times of the programme.

Given PCI-Secure’s experience in this area we would recommend following the approaches in this paper. Remember these are recommendations and you should speak to one of our consultants to tailor these requirements to your business.

Project Initiation

We will commence the project with an initial meeting to conduct the Project Initiation Confirmation in order to cover the following:

• Confirm the scope of the project and agree appropriate terms of reference, objectives and deliverables;
• Agree relevant contacts and reporting lines;
• Identify the staff involved;
• Obtain relevant documentation;
• Discuss any issues that need to be handled sensitively during the project.

PCI Presentation

The first part is to conduct a PCI education presentation for you and the key stakeholders to achieve the following:

• Understand what PCI DSS is and requires;
• Understand the options that you have (this is real world information and what you actually need to know);
• Understand why the banks and card schemes require PCI DSS compliance;
• Understand what happens if you don’t do it or if you have a compromise;
• Understand what the standard is, how it came about and how it is constructed;
• Start to understand the implications that this may have to your business;
• Look at the pragmatic things you can do, quick wins and those that will take longer;
• Understand how PCI-Secure can help and what your next steps need to be;
• Ask the questions that you want answers to.

This is a vendor neutral presentation and PCI-Secure work for you, not your acquirer or the card schemes.

Discovery Workshops

We will follow on with an on-site workshop aimed at understanding your business, how you operate, how you take payment and the resources that you have available. We would envisage covering:

• Review the business operations, countries and what you do;
• The construction of the legal entities that you trade from;
• Confirm how you take payment and look at the specifics of the payment flows (if available);
• Discuss the operational and technical structure of the company;
• Look at the network diagrams and the technology that is used;
• Discuss any network segmentation mechanism employed;
• Discuss any wireless implementations;
• Discuss any third parties that are used and the services that they provide;
• Understand areas where our advice is required going forward;
• Answer any questions you might have.

We would typically expect the following individuals/roles to attend the workshop:

• Project sponsor;
• Compliance manager;
• IT systems and network manager / expert;
• Development manager / expert;
• Finance representative that handles refunds, chargeback’s and card processing accounting;
• Legal representative that knows the companies structure;
• IT software development staff;
• Physical security expert;
• Those responsible for Information security policy, training and awareness and security incident management if they exist.

This list is not exhaustive and we would clarify and confirm who would need to be involved prior to the workshop. 

Scoping Study

We will follow on with onsite workshops or conference calls aimed at understanding your cardholder data environment. We would envisage covering:

• Confirm current payment channels and review cardholder data flows through your systems;
• Discuss your cardholder data environment and its scope;
• Review your strategy (including outsourcing) and any plans for implementation within the cardholder data environment;
• Discuss network segmentation mechanism(s) employed;
• Review any compensating controls;
• Delineate responsibilities of third party service providers, requirements relevant to them, and their current compliance status.

We would typically expect the following individuals/roles to attend the workshop:

• Project sponsor;
• Compliance manager;
• IT systems and network manager / expert;
• Key business manager / expert who has an overall picture of how cardholder data is used in the organisation;
• IT software development staff;
• Physical security expert;
• Those responsible for Information security policy, training and awareness and security incident management if exist.

Some of these areas may not be relevant based on the services that are provided. However, it is important to ensure that all aspects of cardholder data security are considered. Once the scope has been confirmed this will allow accurate documentation of the ‘AS IS’ payment flows and the risk associated, and to each system component involved.

‘AS IS’ Payment flow diagrams and Heat Map

The information gained in the scoping study workshop will enable the QSA to produce a Payments Flow Diagram. The Payments Flow Diagram will clearly identify the route that cardholder data takes through your environment and any systems that it interacts with.

After completing the Payment Flow Diagram, the QSA will then be able to identify the areas where the greatest risk is present. The payment flow systems and flows will be colour coded to show:

1. Where Sensitive Authentication Data (SAD) is stored (shown as purple);
2. Where PAN is stored or transmitted in clear text (shown as red);
3. Where PAN is transmitted encrypted (show as orange);
4. Where incidental pollution occurs (shown as green);
5. Where systems are connected to the CDE (shown in blue);
6. Where systems are out of scope (shown in white).

Once these areas are documented then the consultant can start to develop their ideas on the best methodologies that will reduce the scope of the environment to the smallest possible footprint, while still allowing you to operate as a business.

Cardholder data scanning

It may be the case that you do not know where all of your cardholder data is located. It is common in businesses where there has been legacy or unencrypted cardholder data that this leaches out of the places where you expect it to be. As part of the audit you will have to be able to prove your scope and ensure that you know and can prove where cardholder data is located. As such there may be the requirement to scans systems within your environment to prove there is no data. PCI-Secure has considerable experience in this area and multiple solutions that are available to you. Please see our data scanning datasheet that will provide more information in this area.

Blueprint or Gap Analysis

The next area is a decision point based on what has been found within the scoping study workshops. If the consultant believes that the end solution to achieve compliance will be radically different than the current solution a blueprint will be recommended. The reason for this is that providing a gap analysis on the current solution when the recommendation is to change it would not provide any valuable information, and only cost you money. It is better to have a consulting report that details what needs to be changed and how, this can then be followed with a readiness review prior to compliance to cover any residual areas of non-compliance.

Blueprint

A blueprint works by evaluating the environment and the end solutions that are possible to remediate the issues faced allowing compliance to be achieved. Details will be provided to show the design patterns that can be used, changes required, impact analysis, compliance implications and roadmap to achieve the solution.

Scope reduction workshop (as required)

A scope reduction workshop may then be held with all of the relevant parties to discuss the ‘AS IS’ payment flows and heat map. This will allow a discussion on potential changes to the solution that can be made. The consultant will look to test the options that they have and assess your appetite for the recommended changes. It should be noted that the consultant will look to challenge the business processes, as a change in this area may save tens of thousands of pounds of cost in compliance requirements. You need to be aware of this and receptive to these recommendations.

There are three viable options that can be used, and these are scope reduction or impact reduction, as shown below:

Scope Reduction

Scope reduction will look at the viability of:

1. Removing the cardholder data because it is no longer required or used;
2. Changing the business process to remove the reliance or use of cardholder data, specifically the PAN;
3. Change the technology or solution to substitute the PAN for another value;
4. Securing the transmission of the data to remove the underlying infrastructure.

This advice is built upon the work that was conducted during the scoping study phase and looks at the strategic options that are available to achieve PCI DSS compliance. There are endless challenges faced by all companies, and the latest of those is new ideas and thinking in relation to PCI compliance. There is an on-going requirement to meet the ever evolving standard while still trading as a business. Within most environments complexity and cost of PCI compliance increases with the size of the organisation, and is compounded by the acceptance channels used. Maintaining the required levels of control, monitoring and security over every system component and every location where data is processed, stored or transmitted is a challenge that will likely never be fully met. Even by spending lots of money to meet all PCI requirements, becoming PCI compliant and maintain this long term does not protect against the threat and liability of a data breach.

As such most companies are coming to the conclusion that they are not in the business of security or payment technologies, and stand little chance of attaining full PCI DSS compliance. Thus, most are increasingly convinced the only way to protect data and meet PCI compliance is to evaluate new solutions that are in the market place, specifically reducing their scope, risk, cost and future exposure. This includes the use of encrypting the data from end-to-end so that any data that is intercepted is unusable. Coupling with other solutions like tokenisation not only covers the online authorisation, but also the settlement transaction data allowing for all areas of card payment interaction to be covered. The greatest challenge is how to decide which technology solutions can best meet your needs with minimal disruption to your existing infrastructure and business. These technologies are not a panacea and do come with their own unique challenges and requirements. However, the reduction in scope coupled with data breach and liability exposure reductions is making most companies evaluate this technology carefully.

PCI-Secure are fully versed in all of the payment technologies and solutions that exist within current global markets. As such their experience and advice in this area allows for scope reduction and ongoing reduction of complexity and cost of attaining / maintaining compliance. This is what the scope reduction blueprint, design patterns and roadmap will provide by allowing you to evaluate the options that are available.

Strategic Outsourcing

The middle design pattern considers the use of strategic outsourcing as a means of achieving scope reduction, but does include the complexity of introducing third party risk. The use of strategic outsourcing needs to be carefully considered in terms of the requirement and how this will achieve the desired reduction. There are two options that could be considered and these are business process or technology outsourcing. Both will have effects on the application and controls required for PCI DSS. Depending on the strategy for handling third parties there may be full, partial or no scope reduction. This is why each case of outsourcing will need to be considered on its own merits and assessed in line with third party management as well as PCI DSS controls.

Impact Reduction

Impact reduction looks at the current environment and seeks to remediate the current infrastructure, processes and systems to allow you to operate as the ecosystem currently stands. There is little to no scope reduction with the use of this design pattern, it simply allows the segregation and application of PCI DSS controls. If scope cannot be reduced, then this is the only other design pattern that can be applied.

Report

A report will be produced that will consolidate the ‘AS IS’ and ‘TO BE’ recommendations so that you can clearly see the implications for your business and employees. This will include options that are available and provide clear design patterns to allow compliance to be achieved. PCI-Secure will also make clear recommendations on the changes that you will need to make in order to become PCI DSS compliant, and the best option available for achieving this.

PCI-Secure is an independent organisation, and does not recommend any suppliers, products and/or potential solutions. The identification of any suppliers, products and/or solutions in no way represents an endorsement, and is provided for illustrative purposes only. The recipient(s) of the report is responsible for ensuring that any product or service identified meets its own requirements. PCI-Secure are happy to work with you in the validation of these services for suitability purposes if required – and will do so from an entirely independent position.

Gap Analysis

Gap analysis will be conducted as a series of onsite workshops using the PCI-Secure audit methodology in order to assess the current environment. We would seek to cover the following:

1. Review the business operations;
2. The construction of the legal entities that you trade from;
3. Confirm how you take payment and look at the specifics of the payment flows;
4. Discuss the operational and technical structure of the company;
5. Look at the network diagrams and the technology that is used;
6. Discuss any network segmentation mechanism employed;
7. Discuss any wireless implementations;
8. Discuss any third parties that are used and the services that they provide;
9. Assess the systems and the controls that are in place.

We would typically expect the following individuals/roles to attend the workshops:

• Project sponsor;
• Compliance manager;
• IT systems and network manager / expert;
• Retail operations manager or expert;
• Finance representative that handles refunds, chargeback’s and card processing accounting;
• Legal representative that knows the companies structure;
• IT software development staff;
• Physical security expert;
• Those responsible for Information security policy, training and awareness and security incident management if they exist.

This list is not exhaustive and we would clarify and confirm who would need to be involved prior to the workshop. The deliverable from the gap analysis phase will be the PCI-Secure audit spreadsheet. This would provide the evidence in place and identify any evidence missing, produce a report on compliance against the standard, prioritised approach and remediation action plan.

Remediation Action Plan

The remediation action plan will be produced in the PCI-Secure audit spreadsheet and provide a focused report on the evidence that is missing and the requirements that you will need to meet. As remediation is conducted this spreadsheet can be updated and the remediation actions removed. The full spreadsheet can then be used as the central collation index for evidence that is in place. This should be used as part of the evidence pack for readiness review and the formalised PCI DSS audit.

Remediation

PCI-Secure will provide support throughout the process of remediation. Consulting time is provided to assist with ad hoc questions that may arise from any of the earlier phases or planned changes to systems that are required. PCI-Secure are happy to provide formalised answers to questions using its Consultant Questions Document (CQD) process. This will allow you to ask all of those questions that require an ‘in principle’ level answer in which to base decisions upon.

PCI-Secure stand by the answers that they give during remediation and the use of the CQD allows us to do this. Having a formalised process; and answer to a question that has been approved through the QA process allows decisions to be made. These documents can be used at time of audit as evidence to show why decisions have been made, and what solutions used have been based on. PCI-Secure will recognise this evidence for the audit as long as the advice has been followed, and implemented in line with the provided information.

Vulnerability Scanning (ASV)

PCI-Secure offers a quarterly managed vulnerability scanning service (through a partner) that is conducted by a dedicated team of skilled individuals. The solution offers the following:

1. A PCI-Secure QSA consultant checks the scope of the scanning to ensure compliance with PCI DSS Scanning Procedures;
2. Information security consultant conducts the tests;
3. Telephone support for the process;
4. Platform used is state of the art and achieves vulnerability detection rates of 99.997%;
5. Nothing to deploy or maintain for you as the customer.

It is important to confirm that the scope of assessment is accurate, and that any scope reduction is in line with PCI DSS requirements. This is advantageous to you as the customer because it allows defendable evidence that will be required for the production of your Report on Compliance.

The scanning report that is produced is in line with the PCI SSC requirements for ASV scanning and provides the required reports for submission to your acquirer(s) and QSA. Two reports are produced providing all of the management and technical information that you require. This is an automated platform process that needs to run against your external address space. Our team will contact you to ensure that there are no active security devices that will block our scans ensuring that you get the mandated and accurate information on your services. Additionally, this could be performance impacting and generate numerous security alerts so PCI-Secure will make sure that you are informed of when this is going to happen.

Penetration Testing (PCI)

Penetration testing is a necessary evil in today’s modern society as there is always someone out there that is willing to exploit any issues that they can find. As such it is important to ensure that all of the areas of your infrastructure, systems, applications and personnel have been robustly tested. PCI-Secure has a dedicated and skilled team of penetration testers that have many years’ experience not just in testing but in coding, support, systems, networks and security. This means that they have the in depth knowledge that is required to conduct the testing that you need. In order to satisfy the requirements of PCI DSS PCI-Secure would propose to conduct the following testing:

1. Segmentation effectiveness and containment of the CDE;
2. External network penetration testing;
3. Internal network penetration testing;
4. External application penetration testing;
5. Internal application penetration testing;
6. Web application penetration testing;
7. Wireless testing.

These tests will satisfy the requirements for PCI DSS section 6 and 11, as required for your report on compliance. The process that is used to conduct these has been developed from industry best practice and broadly follows the following process:

1. Profiling;
2. Discovery;
3. Assessment;
4. Exploitation;
5. Clean-up;

Reporting will provide the information that you require to show what issues are present within the environment and need to be resolved. This will allow you the ability to fix these issues and be assured that further exploitation should not be possible. If you need further information on our penetration testing, please see our Assurance datasheets or look at our website.

It should be noted that: all staff are ethical testers and we do not hire hackers or criminals to conduct testing services. This gives you the assurance of your data’s security and ethics with which these tests are conducted.

Incident Response

A hot topic now for all aspects of PCI is in relation to incident response. It is important to ensure that you have the appropriate processes, procedures and services in place – as from version 3.2 of PCI DSS all SAQ’s and RoC control packs carry the need for incident response. Therefore, we have put together specific testing and workshops to help you meet these requirements.

Workshop

The aim of this workshop is to inform your decision makers about the process of an incident, the impact of the decisions taken and how they affect and dictate the course of events. Delivered by a member of the PCI-Secure Forensics and Incident Response team, this package involves informing delegates about the mechanics of dealing with a suspected card breach and why correct decision making is so crucial to ensuring that the best possible outcome is delivered following an Account Data Compromise (ADC).

Deliverable: A planned “layered defence “approach to an incident

An attacker has many potential avenues from which to attack, and this is perhaps the biggest breach-protection issue, if security personnel miss just one ‘defensive’ avenue, that may be enough to cause a data compromise. Taking a layered approach to incident response planning eliminates some of this risk by ensuring other layers of defence can compensate when you are under a ‘blended’ or mosaic style attack.

What many customers forget is that there is a layered approach to attacks, being the people, process and technology layers. PCI-Secure briefs and trains staff to watch out for social engineering attacks, unauthorised staff in sensitive areas and establishing processes for dealing with security breaches. This will be covered in the workshop.

Deliverable: Define, Establish and Test Processes

Many companies do not have a have a plan or a process to respond to data compromises. Many have an incident response plan, but such plans are often focused on operations and getting systems up and running, as opposed to minimizing the risk to information assets, such as payment security. Then again, the incident response plan is rarely a living-breathing document; it is typically on a shelf gathering dust.

PCI-Secure emphasise breach planning as a core part of the incident management plan. It is also essential that this plan be tested regularly, and as per the PCI-DSS requirements at least once a year. The workshop executes the ‘response team’ practicing responding to various scenarios and work under simulated stress conditions. Having these mock scenarios educates you and your team to work effectively under controlled conditions. These tests can also highlight areas of deficiency and will help keep the plan current, accurate and in line with reality. The aim of the de-briefing is to collate the events and activities and base the effects of the action against industry best-practice.

Deliverable: Preparation of Public Response Plan

Many Merchants have been penalised by regulators across the world for not communicating about breaches in a timely fashion. Many others that were quick to come out in public were embarrassed when later investigations found the size and scope of those breaches to be much bigger than initially reported. Customers and regulators tend to be more forgiving of companies that report breaches quickly. Part of the exercise is to test your current public response through the scenario and then in the de-briefing assess the best methodology through customised workflows.

Deliverable: Understanding Legal and Jurisdictional requirements up front

It is essential for you to involve legal assistance before a potential breach and understand the requirement constraints before initiating a response. For example, the new General Data Protection Regulations (GDPR) are stringent and require notification to the Information Commissioners Office (See our GDPR datasheets). Failure to do so can result in large fines, legal warrant to prohibit data processing or criminal prosecution in some cases.

PCI-Secure has specialist legal and communications advisors that can help in this area.

Readiness review

The readiness review seeks to show how prepared you are as an organisation for formalised audit. This is not just about checking the control items but the preparedness of staff and the evidence pack. PCI-Secure would envisage covering:

• Review of documentation;
• Review of interview list;
• Review of evidence file and requirements;
• Review of segmentation and control mechanisms;
• Proof of scope inside and outside of the cardholder data environment;
• Review of high level controls in place and deal with troublesome areas of the standard.

This will require the PCI-Secure audit spreadsheet and a combination of interview, documentation and implementation review. The QSA will seek to test some of the in place controls against the PCI DSS scoring matrix to ensure that the implementation or evidence provided would meet compliance requirements. The same methodology will be applied to the proposed controls, and specific feedback given where controls will not meet requirements, or areas of common failure.

Support

In order to reduce external costs (as far as possible), we agree that it is prudent to use your resources and knowledge as far as allowable to conduct a cost-effective assessment. Evidence file production and capture of the required materials should be conducted by you prior to the assessment. PCI-Secure will send the evidence requirements over ahead of the assessment to allow you to generate the required information.

PCI DSS Audit

In conducting any audit, there is a simple process that can be followed to ensure that the information that is received is consistent with the environment that is being assessed. PCI-Secure consultants will use the following process:

The process allows for the written work to be evaluated gaining a baseline of the environment, its setup, control, people, process etc. Once this has been understood then interviews can be conducted to see if management know what the environment is and how it should be controlled. Followed by staff interviews allow corroboration (or not) of documentation and what management want to happen. The process then goes on to the checking of what is actually implemented and if this is in line with documentation and what staff state is the case. Finally, evidence is checked to ensure that all of these controls are sustained over the review period.

The process for PCI DSS assessment is clear, and the methodologies differ little between agencies. What does differ is the level of diligence, experience and assurance that you get from the process. Having worked with many businesses from small right through to the largest multinationals means that PCI-Secure has the experience that you need. The advantage is that we can understand your business quickly and apply pragmatic and sensible audit capability while maintaining external probity. The following methodology is used:

Position	Description
Review	Review the documentation and payment flow information that has been provided for the assessment
Scope	Review the scope of the environment and decide on the confines based on the customer information so that this can be tested and validated later in the process
Evaluate	Evaluate the evidence file that has been produced and ensure that this is in line with PCI DSS requirements and the scope that has been presented
Interview	Interview the required personnel to further understand the confines of the scope and cover the specific points of PCI DSS that require interview as evidence validation
Sample	Select the sample that needs to be tested under the current PCI DSS assessment
Test	Test the scope of the environment both inside and outside to confirm that the extent is as documented and stated. Then test the specific PCI DSS controls applicable to the sample selected above
Report	Report and record the results in the PCI-Secure Audit spreadsheet and complete the RoC.
QA	Pass the report to the QA office to ensure that this meets the requirements of the PCI SSC scoring matrix and acquirer / card brand mandates to allow signoff and acceptance

Evidence will be required to be ‘in place’ and present when the assessment is conducted and cannot be based on the future state or project plans. The assessment has to be against the ‘AS IS’ cardholder data environment. If you have any concerns, then PCI-Secure recommend discussing these with the auditor at the time of project initiation. This will allow suitable time to consider if there will be any implications and whether further work will be required prior to assessment. PCI-Secure want you to be ready to go into assessment knowing that you should pass.

PCI-Secure will identify any areas of concern or any non-compliance issues as the assessment progresses. These will be escalated to the Lead Consultant for discussion and decision on the outcome. Opportunities for retest, further assurance, or compensating controls will be discussed with you as appropriate.

When identification of the scope and sample are conducted the executive summary for previous year’s reports will be required. Some of the system components that were in scope of last year’s assessment will be re-sampled for on-going compliance and new systems will also be chosen. This allows for a better rounded level of assurance to be provided. The sample will be at the discretion of the lead and assessment QSA, so all appropriate controls should be in place on all in scope Cardholder Data Environment (CDE) system components.

For the full details on the audit process, talk to your consultant who can provide the audit expectations datasheet.

Report on Compliance

PCI-Secure will complete a documented Report on Compliance (RoC) to verify compliance. The RoC shall include all aspects required by the PCI DSS requirements and Security Assessment Procedures.

If any PCI DSS requirements are not in place, PCI-Secure will produce a Remediation Action Plan (RAP) that prioritises the actions required based on risk, using the PCI SSC prioritised approach. If this is the case, you shall be required to implement any remediation actions prior to a further PCI DSS compliance security assessment. Wherever possible, PCI-Secure will help you with any required liaisons with the card schemes / acquiring banks to ensure there are no detrimental effects to your business.

Supported SAQ Completion

Where there is a requirement for a merchant or service provider to complete an SAQ validation there are a number of areas that PCI-Secure can specifically help. A baseline has been established over many customers and PCI-Secure uses the following methodology:

1. Confirm the merchant level based on transaction volume and acquiring bank / card scheme requirements;
2. Confirm the payment channels that are accepted;
3. Confirm the SAQ type validation that is applicable to the environment;
4. Confirm that the scope is accurate for the assessment and that the appropriate boundaries are in place;
5. Train the internal parties on how to complete the SAQ assessment and what is required;
6. Provide consulting information on what is required to prove that a control is in place;
7. Provide clarity and understanding on what requirements actually mean;
8. Provide clear advice and guidance on how processes, payment flows or solutions could be changed to modify the scope, SAQ type or breach likelihood / impact.

PCI-Secure consultants will also provide their details to be completed on the SAQ to show that you have received professional help and guidance for the completion of PCI DSS requirements. We have found this to be immense benefit to our customers as this gives the banks and card schemes the assurances that this has been completed correctly and appropriately.

It should be noted that the completion of the SAQ needs to be conducted by you as the customer. If your acquirer or card scheme requires PCI-Secure to assess you against an SAQ and then sign this the process will be exactly the same as for audit. The only difference will be PCI-Secure will not produce a report on Compliance, but will complete the SAQ and then sign the self-attested attestation of compliance.

QA

This will be conducted offsite by the PCI-Secure Quality Department. For any professional services that PCI-Secure produce for PCI DSS quality assurance is required. This is mandated by the PCI SSC as part of the operating license requirements placed upon a QSA company.

 

PCI-Secure has considerable experience in the field of both payment consulting and that of payment security. Its consultants have worked in as well as working with merchants and service providers’ compliance requirements since the first version of the standards run by the card schemes themselves. PCI-Secure has a unique view of payment security with work in all aspects of payments, security and card forensics investigations. This blended approach allows customers to realise true compliance at a price they can afford, while ensuring their customers data is safe. See our other datasheets on payment consulting, ISO27001 and the GDPR. Talk to us today about how we can help you….