|
Here are some general approach guidelines for
PCI certification:
1. Review the PCI Data
Security Standard.
You can find out more about
this here. Useful
background reading is the ISO 17799 standard which
is used to shape PCI DSS.
2. Review where cardholder
data is stored in your organisation and how it
is transmitted.
Understanding where account
data is stored and where responsibilities lie
is crucial to the compliance process. This task
will normally shape a list of individuals that
will provide essential information to audits.
If you do not
know where your organisation sits within the PCI
framework, you might want to review the Merchant
levels below:
|
Merchant Level
|
Description
|
|
1
|
Merchants processing over 6,000,000
card transactions per year.
Any merchant that has suffered an
attack that resulted in an account
data compromise.
|
|
2
|
Merchants processing 1,000,000 to
6,000,000 card transactions per year.
|
|
3
|
Merchants processing 20,000 to 1,000,000
card transactions per year.
|
|
4
|
All other merchants.
|
|
Associated compliance
tasks required for Merchants are:
|
Merchant Level
|
Task Description
|
|
1
|
Annual onsite security audit to be
performed by a Qualified Security
Assessor.
Quarterly network audit to be performed
by an Approved Scanning Vendor.
|
|
2
|
Annual completion of the self assessment
questionnaire to be performed by service
provider.
Quarterly network audit to be performed
by an Approved Scanning Vendor.
|
|
3
|
Annual completion of the self assessment
questionnaire to be performed by service
provider.
Quarterly network audit to be performed
by an Approved Scanning Vendor.
|
|
4
|
Annual completion of the self assessment
questionnaire to be performed by service
provider.
Quarterly network audit to be performed
by an Approved Scanning Vendor.
|
|
3.
Review Third Party Relationships and Service Providers
It is very important that
Merchants ensure their Service Providers are PCI
compliant. A Merchant can be held responsible
for a data compromise even if the fault was found
at the Service Provider. In these cases, the Merchant
may well be expected to bear the costs of remediation
and investigation work. They will certainly be
exected to undergo a tier 1 onsite audit - irrespective
of their size.
Also note that third parties
may not just include payment gateways and processors.
They might also include any outsourced web application
development and maintenance. In our experience
many serious flaws are found in web applications
which provide direct routes to confidential account
data.
Card Providers, such as Visa
and Mastercard, recommend that third party contractual
agreements should include specific reference to
meeting PCI standards for processing cardholder
data. Strong emphasis is placed on ensuring Merchants
monitor the progress of the Service Provider's
PCI compliance status.
Should a Merchant have any
doubts or concerns over the compliance status
of a service provider they can contact the Card
Processors or their Acquirers directly to inform
them of their concerns. Alternatively, contact
a QSA such as ourselves and we can provide specific
guidance on what to do next.
4.
Conduct a Gap Analysis
Using the DSS as a guide,
measure how well your organisation meets the PCI
framework. It is highly likely that there will
be areas that will need further review and possible
remediation.
It is at this stage that
many merchants use the services of qualified security
assessors and scanning vendors to help them understand
the certification process.
Once the initial
gap analysis has been completed, a business should
have a clear idea of where improvements need to
be made. This understanding can then feed into
action plans ready for the full audit.
5.
Full Audit / Certification
By the time that a Merchant
performs a full audit, they should be familiar
with all sections covered in the DSS. Indeed,
if the Gap analysis has been performed correctly,
remediation tasks will already by underway or
even completed.
For Merchants that require
an onsite audit (tier 1), the Report on Compliance
(ROC) must be completed annually along with quarterly
PCI audits. Once the ROC has been satisfactorily
completed, it is signed off and submitted to the
payment card providers and the Acquiring bank
for review.
Other Merchants (tiers 2,
3 & 4), will be expected to annually submit
a completed Self Assessment Questionnaire (SAQ)
to their Acquiring bank along with results from
the quarterly PCI audits. In some cases, Acquiring
banks will expect the SAQ to be reviewed and signed
off by a qualified security assessor - irrespective
of their Merchant level.
The DSS requires that organisations
handling payment card data perform a full penetration
test on their payment network at least once a
year. This task is very important and ensures
that any ecommerce application and/or their supporting
networks are thoroughly tested for security weaknesses.
It should not be confused with quarterly PCI scanning
which offers a useful, but less comprehensive
review of network security. This task is overlooked
by some organisations and they do so at their
peril. The requirement is in the DSS for a very
good reason; weaknesses in web applications can
provide direct, and trusted, routes to account
data.
Ongoing Considerations
The PCI DSS is a process
of continued improvement. As a result, organisations
will need to continually perform quarterly audits.
They will also need to audit their IT operations
against the standard once a year (using either
the ROC or SAQ).
|
