Life After the PCI Report On Compliance: Ensuring Ongoing PCI Compliance and Security, Part IIBy: Rafe Pilling
#1 Build Sustainable Controls and Make Them Part of Business as Usual
An effective security control ensures that people are certain of their roles and responsibilities and that technology is underpinned by the appropriate processes and procedures on an on-going basis. It?s critical to design and implement security controls and processes to protect the cardholder data environment between formal assessments. While the assessment is a point in time validation, compliance is an everyday state of being. A certification of compliance from an
approved assessor means you are compliant at the time of issue. Once issued though, it becomes immediately out of date unless you continue meet the requirements.
If you don?t have the in-house resources to do this, you may wish to engage a security expert. Many merchants find it easier and more cost effective to hire a Qualified Security Assessor (QSA) who has the skills and experience to understand their business and help build effective security controls.
An experienced security partner with in-depth knowledge of PCI can help craft controls that will continue to work and provide protection regardless of where you are at in the assessment cycle. Doing so can also help reduce the burden on in-house IT staff, leaving them more time to focus on mission-critical needs for the business.
#2 Perform Regular PCI Health Checks
You should also perform regular PCI Health Checks. Doing so will allow course corrections and remediation in smaller, more manageable amounts on a timely basis, and allow you to effectively address issues before they can become bigger problems.
If you have a dedicated internal PCI team, this should be one of their top priorities. Health checks can include Approved Scanning Vendor (ASV) PCI scans, penetration testing, inventorying removable media stores, regular employee security awareness training and so forth. A quarterly PCI Health Check from a reputable QSA can also confirm that controls are working effectively.
#3 Prepare for Assessments
There are several steps merchants can take to save time and reduce the impact to the organisation of a PCI assessment, including:
- Gathering documentation in advance so that it is readily available to provide to the QSA during the assessment; and
- Documenting the process to validate that each control is in place and properly working.
If regular PCI Health Checks have been performed, these two steps will take much less time. The QSA will want to see the same reports, scan results, and log entries.
You should identify who will be involved in the next assessment, and educate them as to what to expect. Keeping track of roles involved in previous PCI assessments and any new ones that have been created in the intervening period can be very helpful in this regard. At the minimum, this roster should be updated at each PCI Health Check.
By ensuring that controls are managed as part of everyday business tasks, organizations can avoid many of the headaches associated with PCI compliance assessments. Conducting a quarterly health check, preparing employees and executives for what is expected in the assessment, and keeping good track of documentation and any changes to the cardholder environment can help ensure that assessments are a normal part of business instead of an annual fire drill. Partnering with an organization that specializes in security can help organisations build a sustainable PCI DSS compliance initiative through effective and pragmatic security controls.
Rafe Pilling is a PCI QSA and Principal Consultant with Dell SecureWorks Security and Risk Consulting located in Europe.