It’s no secret that most organizations that endeavor to achieve any level of PCI compliance find it more difficult than they first imagined. Even more so for merchants that require Level 1 PCI Compliance.
These companies require an external QSA audit and a successful passing Report of Compliance (ROC). No small feat. As a PCI QSA company, our QSAs have identified 5, key ways to better ensure your company’s chances of passing their PCI QSA Audit. Fortunately, all of these can be performed by internal resources in preparation for an upcoming PCI QSA audit.
1. Know all the places where CHD is transmitted, stored and processed.
A QSA audit begins with interviews to discover all the places where payment cards are accepted, processed, transmitted, stored, and more.
This is understandable, especially if the organization has never gone through a discovery process. Generally, employees are tasked with making things work. Often times, there are processes and products that are created that may not be formally documented or even approved.
Processes that can bring systems and people in scope
- Recorded calls where CHD is stored in the recordings.
- Physical paper with CHD that is being scanned into another system.
- Emails where CHD is sent either internally or externally to customers.
- CHD being shared with partners via undocumented and insecure methods.
- Temporary “stores” or collections that only happen periodically like an annual conference where the organization accepts payment cards for registration fees.
In order to discover these processes, at least two people in each department should be interviewed. This would include the department manager as well as one of the employees in that department that is most knowledgeable about all the processes in the department. Hint: the department manager is often surprised to hear about some of the processes that collect or process CHD or at least the details about how it’s being processed. Because they don’t actually work with the process, they can unintentionally mislead or misinform about the processes. So, don’t rely only on department managers solely. Make sure you talk to the person with their boots on the ground. Most department managers understand this and are more than willing to sit down with the auditor and another employee in the department to discuss their interaction with CHD.
2. Know what is in scope for PCI.
As stated previously, most organizations don’t fully understand all their processes at a high level. There are small details about processes that may not get documented and therefore make it up to the managerial level. However, once these processes are fully understood, the next step should be to determine how those processes effect the scope of the audit. In general, the scope should include all people, processes and systems that either process, transmit or store CHD. In detail, the organization should fully understand the flow of CHD through the organization and include every system, person or process that the CHD touches. This would include places often overlooked such as:
- Phone systems for collecting CHD over the phone.
- Workstation of Customer Service Reps (CSR) that collect data over the phone and enter it into some payment application or website.
- Systems that not segmented from systems that directly interact with CHD. For example, if the CSR workstation is not segmented from the rest of the organization’s network, then all the systems in the network are in scope.
- Web applications that start the payment process, but then hand-off the payment to a third-party payment provider. These web applications typically are in scope for at least some controls.
3. Reduce the scope.
One of the best ways to secure data and achieve compliance is to simply reduce the scope of processes, people and systems for PCI DSS. I often help customers walk through this process and help them understand from a business and technical perspective the positives and negatives of reducing or eliminating processes that can help with reducing scope, therefore reducing the risks to CHD. The most common areas for reducing scope are:
Eliminate CHD where possible.
- P2PE is the process for encrypting CHD at the point of interaction, either at a card-present point-of-sale system or a special keypad used to enter the payment card information. Both of these devices have the ability to encrypt the CHD at entry and submit it directly to the processor. Although the information is transmitted through the organizations network, it is not considered CHD since the data is encrypted with a key that the organization does not own or have access to. The decryption key is held by the processor or service provider providing the P2PE solution. This eliminates the CHD from the environment for those processes and requires the organization to only have to meet a few controls to secure the devices and process.
- Tokenization is the process of the service provider or processor returning a token to the organization that is not CHD, but represents CHD. This is uses in situations where an organization needs to have recurring charging and needs to retain the payment card information. Instead of retaining the payment card information, they retain only the token and then submit the token to the service provider or payment processor. If the tokens are compromised, then there is very little risk of an attacker being able to turn the token back into CHD.
Outsourcing processes to 3rd party service providers.
Although this may not be possible for all processes, there are some processes that are easier than others. For example, often times, payments over Web or Mobile can easily be outsourced and leave the organization with minimal scope.
Eliminate processes that have little value but heavily increase scope of audit.
Often times organization can review their processes and determine that some processes, although they may have some value, don’t bring enough value to justify the cost of compliance for that process. The most common process for this is payments over the phone. Because payment cards are considered a modern form of payment, most people using payment cards also have the ability to use the Internet to make payments via web applications. This leaves many organizations with a very small percentage of customers who call in to make payments via a payment card. However, the cost of compliance for bringing the entire phone system, call recording system and Customer Service Reps’ work stations in scope can be substantial. For this reason, many organizations are choosing to eliminate that form of accepting payment cards and instead assist customers in making their payment via the available web application.
Consolidating processes to as few people, processes and systems as possible.
Many organizations have, over many years, added several processes that collect CHD. However, those processes are often not centrally managed and leaves the organization with many systems and areas of the network that are in scope. This could include multiple databases or files systems that store CHD, as well as different types of technology collecting CHD. Consolidating all these processes to as few systems and devices as possible can heavily reduce scope for compliance. This would include:
- Taking all web payments at same payment application, even if the payments are for various services in various departments.
- Ensuring all card-present transactions are conducted with the same Point-of-Sale devices and processors.
4. Understand Which Controls are Applicable.
Not all controls are applicable to every environment and understanding which controls are applicable and which are not can save an organization a lot of time in effort. For example, if you’re able to segment and reduce scope enough so that there are not wireless networks in your environment, then you wouldn’t be required to implement the controls for your organizations wireless network that is not in scope. Also, if you eliminate the storage of CHD, then an entire section of controls becomes N/A since it deals with securing stored CHD.
5. Perform Pre-Audit or Gap Analysis.
This is the audit before the audit that should be performed with every organization that is attempting to become compliant for the first time. A QSA or IQSA should be used to review current scope, processes and controls and determine which controls are sufficient and which need improvement. This may be a multi-step process for many organizations where each round brings the organization closer to compliance. However, performing a gap analysis and failures have been discovered almost always leads to a successful QSA audit that results in a passing Report on Compliance.