By Heather Robins
Sometimes, coming to grips with your company’s need to be compliant with the Payment Card Industry Data Security Standards (PCI DSS) feels a bit more like going through the Five Stages of Grief than tackling a standard issue business problem. I’ve been in the Information Security industry for a little over 5 years, and I’ve heard just about every justification and excuse about why (insert excuse here) means your business doesn’t need to comply with the standard… but if your organisation processes, stores or transmits credit card data (yes, any one of those things!), then yes, you DO need to comply with the PCI standards.
If you’ve arrived at this page, the good news is it’s likely that you’ve finally reached the ‘Acceptance’ phase of your journey. The bad news is that this is where the work begins!
The steps outlined below are just that – an outline. This may or may not apply precisely to your business, but it should start you on the right path. Your acquiring bank should be able to provide additional assistance and if you want additional assistance, reach out to a Qualified Security Assessor in your region (Shearwater can help in Australia).
Define your Cardholder Data Environment and Document Your Card Flows. In simple terms: how do you accept credit cards, what do you do with them and how.
Look at that scope you just defined… is there any way to limit it? Can you eliminate a business process that currently requires you to store credit card numbers in Manny from Finance’s bottom drawer? Can you segment your environment at this point? A limited scope and limited number of card flows will save your sanity.
Understand if you’re a Merchant or Service Provider and What “Level” you’re at. This is a question of how your business interacts with cards and how many interactions it has with cards. PCI DSS doesn’t care if you take one credit card number and process it 6 million times or take 6 million cards and process them one time, if you’re over 6 Million transactions per year, you are a PCI DSS Level 1 Merchant. The Level 1 barrier for Service Providers is at 300,000 transactions per year. Level 1 (for either Merchant or Service Provider) means you’ll need to engage a Qualified Security Assessor (QSA) organisation… the silver lining is you won’t have to fill in a Self Assessment Questionnaire because your QSA will do that for you, in the form of a Report on Compliance (RoC) and an Attestation of Compliance (AoC).
Find Your Self-Assessment Questionnaire (SAQ). If you are not a level 1 Merchant or Service provider you will need to complete an SAQ. While I’ll be looking to write a bit more extensively on picking your SAQ, the best first step is to look at the PCI Council’s Website. There are specific SAQ’s to fit specific business models (ecommerce only, virtual terminals only, etc.) The short story is SAQ D covers just about everything so, if you know you take cards through a lot of different channels or you don’t seem to fit in any particular bucket, this is your SAQ. Remember you have to meet all the requirements for the SAQ, if not your SAQ will be SAQ-D.
Identify your gaps. SAQ D has 288 individual requirements, so this can feel very daunting. The PCI Council’s Prioritized Approach can provide a good jumping off point if you’re looking to do all of this on your own. If you do decide as a company to take this project on internally, make sure you assign someone (or several someones!) who understand the business, are well connected and are well respected. You’ll need the project leader on this to feel confident engaging with technical and business staff and have the resourcefulness to know where to go to get answers.
Put together your remediation roadmap. What were your major findings from the gap discovery/gap analysis phase? How do you plan to fix them? Almost every organisation will have policy and procedure work to do that can provide ‘quick wins’ on improving their posture versus PCI compliance at a relatively low price point. Big infrastructure undertakings will obviously take considerably more resources and planning. Where possible, try to understand what you have currently that can be leveraged more powerfully for compliance initiatives.
Fill in and submit your SAQ or RoC (depending on your level) and Attestation of Compliance. While everyone wants to be PCI Compliant, the simple fact of the matter is that almost every organisation does not start off that way! Don’t continually put off this step in the process because you’re waiting for your dream state of affairs to be willed into reality. If you’re not compliant, you’re not compliant. Submit your required documents and your plan – every acquiring bank I’ve ever worked with has been willing to work with their vendors who are proactive on PCI compliance. It’s better to take control before your bank comes to you about PCI because something bad has happened!
You can do as little or as much of this ‘on your own’ as you care to (except for Level 1 Merchants and Service Providers, who do need to engage a QSA!). It will require a lot of internal manpower if you have a complex organisation, complex payment processes, poor documentation, poor segmentation or some combination of all the above. You can bring in a PCI Consultant at pretty much any stage in this process. In my experience, bringing in a QSA at the scoping/de-scoping stage and at the gap analysis stage is good bang for buck compared to doing it all yourself, but again, it will really depend on your business and your specific situation.
If you do have any comments, concerns or clarifications, or if you need assistance on your PCI journey, feel free to reach out to the Shearwater QSA team or to me directly (firstname.lastname@example.org). We’d love to hear your thoughts and take on any feedback you might have.