When it comes to Payment Card Industry Data Security Standard (PCI DSS) compliance, it seems like someone is always pointing the finger at someone else when a merchant gets breached. People blame the merchant, software makers, a vendor, the Qualified Security Assessor (QSA) and even the PCI requirements themselves. As things stand today, no matter whose fault it is, if your network becomes compromised, it will likely be your company alone that will end up paying the price in fines, loss of reputation and loss of business. That’s why when it comes to security and compliance, long before there’s been a compromise you need to adopt the adage president Harry Truman made famous: “The buck stops here.”
Compliance and security are not the same things, but your business is held responsible for both. While only executives and board members may require your company to be secure, if your business stores, processes or transmits cardholder data, PCI requires your company to be PCI compliant. Failure to do so could result in fines, credit card replacement costs and forensic audits should a breach occur. The compliance requirements are PCI’s attempts to ensure that merchants protect payment card data and focus on security. When you or your QSA submits your annual Report On Compliance (RoC) or Self-Assessment Questionnaire (SAQ) to your merchant bank, which will then report back to the Payment Card Industry that your company is PCI compliant, your submission is seen as a snapshot image of your network the day you completed the forms. You must ensure that compliance is maintained every day and you need to remember this whenever any changes are made to your network. In addition to submitting the above documents, if you electronically store cardholder data post authorization or if your processing systems have any Internet connectivity, you are required to have a quarterly scan by a PCI Security Standards Council (SSC) Approved Scanning Vendor (ASV).
Meeting Compliance and Security
The first step to becoming compliant is usually by completing a Gap Analysis, which helps compare your state of security and compliance to meet the desired state. A QSA can provide an overall view of your organization’s current state of compliance and provide steps you need to meet compliance. The PCI Gap Analysis reviews the credit card processing mechanisms within your organization’s environment, such as your web applications, point-of-sale terminals, call center activities, payment gateway and your acquiring bank processor as well as the security controls associated with those mechanisms. The QSA should include an in-depth analysis of how credit card data flows within your network and how you can remove data to limit the scope and impact of PCI DSS. The QSA should also show you where you can use compensating controls whenever possible to prevent unnecessary expenses.
Although many organizations only need a QSA to complete their RoC, many will use one to ensure they are PCI compliant and secured to the best of their ability. QSAs can perform Onsite Data Security Assessments (a PCI audit), Gap Analysis, Remediation Services and PCI consulting and advice. If you are considered to be a Level-1 Merchant or a Level 1-2 Service Provider, depending upon how many transactions you make a year and on whether your network has been compromised, you will need an Onsite Data Security Assessment to be conducted by either a QSA or an internal audit group if your company has one. Your assessor (the QSA or internal audit group) will submit to your merchant bank a Report on Compliance (RoC) and an Attestation of Compliance, validating that your company is in compliance with the PCI requirements. Depending upon your Merchant or Service Level and the payment card brand, you may only need to complete a SAQ, validating that you have met PCI’s listed requirements. If you do that, be sure your staff member is an experienced security professional who totally understands the requirements and compensating controls. If not, you may want to consider hiring a QSA. A good one could save you far more money than you could lose in a breach.
Choosing a QSA
Becoming PCI compliant could take six months or longer, depending on your status, so be sure you select a QSA who will work as a member of your team, providing you with options regarding what you need to do and how you can do it. QSAs come from various backgrounds and have different degrees of knowledge of business needs, PCI and IT security. They should have an excellent understanding of PCI, network architecture, threats, network protection, network policies, business operations and cybersecurity, so each piece of the business can work together as a cohesive unit to accomplish business goals. Some QSAs come from an auditing background and others from a cybersecurity background. Ask prospective QSAs about particular PCI controls and what they mean to their cybersecurity. See if they can tell you what to do to continuously keep up the desired state of cybersecurity once the audit is completed as you will need to maintain compliance.
Working with a QSA you trust is important because there are a wide variety of ways QSAs interpret the requirements. One may insist a company needs to have certain security controls in place, when based on a risk assessment and business requirements, all the company needs is additional segmentation or even a process change. If the QSA really understands networks, there will be different ways to satisfy requirements so that a company doesn’t have to purchase a new security device. Devices can serve a company well but only if they are properly managed. If your organization has no one to manage them, it won’t work for you for long. Your QSA must understand your business needs and the way it operates to make recommendations that suit the business as well as the PCI requirements.
The following is a list of things QSAs should do:
• Align information security and compliance with business strategy and objectives
• Help you with the architecture of your network
• Use critical thinking to devise different ways to meet requirements that you may need
• Take a broad-based approach to your network first to make it secure and compliant
• Help you create policies and strategies that beget long-term security.
A QSA, No Big Deal
To apply to become a QSA, PCI must see on a résumé that a candidate has either five years’ experience working full time in information security or a security certification, (either CISSP, CISA or CISM). Then, the applicant needs to take a seven-hour prerequisite course on PCI fundamentals, then an online course and then a two-day, instructor-led session. The applicant must pass written exams and receive a certificate that validates the applicant is a QSA. The book knowledge that is learned in the classroom is valuable, but it is only the experience one gets from working in the field that allows someone to help a company meet the requirements in a way that is effective and economically viable. A cybersecurity consultant who works full time in the field and has a team of other QSAs he can bounce ideas off has a great resource to help you meet certain requirements efficiently.
Without a quality assessor, an organization is liable to make the same mistakes more than half of organizations make: They will fail to protect stored data, fail to maintain secure systems (patching and updating hardware and software) and they will purchase devices they either don’t need or don’t end up using properly so they are not effective. PCI DSS provides a list of more than 200 line-item controls that must be inspected yearly. Putting all the controls into place for the first time normally takes a merchant about 2.35 years. Each network is different, so a lot of brain power and experience are needed to find the best avenues for each organization to take to meet the requirements.
Organizations don’t have to meet the requirements exactly as they are written. An organization can meet the requirements through the documentation of compensating controls. If a QSA or consultant suggests you buy a new security device, it may be because he is unaware of how you could meet a specific requirement without the device. PCI allows compensating controls if they sufficiently offset the risk that the PCI DSS requirement was designed to defend against. To create compensating controls, your assessor will need to examine the issue at hand and figure out a way to meet or exceed the requirement. If you use a compensating control to meet a requirement, the assessor must document the constraints that preclude compliance with the original requirement, define the objective met by the compensating control, identify risk posed by the lack of the original control, explain how your compensating controls address the objectives of the original control and define how the controls were validated and tested. Your network is like a puzzle. It is up to you to choose a good QSA who can help you put the pieces all together so that they all work together seamlessly to protect your network from a costly breach.
In the Ponemon 2014 Cost of a Data Breach Study, the average cost of a data breach in the U.S. was approximately $210 per record. The average cost of a breach was more than $5.85 million.
If the buck doesn’t stop with you, a breach could cost you much more than a buck.