Compliance with the Payment Card Industry Data Security Standard (PCI DSS) appears daunting at first glance. Complying with 12 requirements and hundreds of control objectives is no small feat for many organizations. First time PCI compliance assessments can be even more difficult if an organization does not have an internal or external audit program that has verified that these controls are in place in a compliant manner. There are many factors that can further complicate a PCI DSS assessment before the control testing starts.
The PCI DSS requires that organizations comply with the applicable PCI controls for their organization.
The different payment channels and controls used by an organization may be aligned with a Self-Assessment Questionnaire (SAQ) or determined by the acquiring bank, processor, or card brands. These control objectives will determine what internal processes an organization must implement and support to meet and maintain PCI compliance.
The process of PCI DSS assessments, no matter the overarching methodology by the audit team or a third-party Qualified Security Assessor (QSA), is performed by following three separate activities for most of the controls. This is surprising to many clients who are not used to the rigor of PCI validation activities. The level of detail, along with the volume of information, can be difficult for many organizations to document and provide to their internal audit team, Internal Security Assessor, or PCI QSA.
The three primary activities used in the PCI assessment are:
- Documentation Review
- Interview Response
- Configuration Review
Most PCI controls will require that the assessed entity, or entity who is self-assessing, perform all the activities listed above. Some controls will only require one or two of these compliance steps, but most require all three to verify if a control is in-place or not. These three activities should all reconcile with the same response.
For example, PCI Requirement 3.1 outlines all of these requirements in the Testing Procedures in the PCI DSS. The testing procedure for Requirement 3.1.a requires that the data retention and disposal policies and procedures must be examined (reviewed). Requirement 3.1.b requires that appropriate personnel must be interviewed, and Requirement 3.1.c outlines the requirement to sample systems and examine configurations.
Policies, procedures and supporting documentation is the foundation of all governance, risk, and compliance programs.
Interviews with employees should support the policies and procedures used by the assessed entity. While employees may not be able to recite policies and procedures verbatim, they should be able to find the applicable policy and procedures in use for guidance. Observing the employees performing their compliance-related tasks should reflect the guidance in the policy and procedures documentation.
The sample of system component configurations will further confirm if the organization is compliant with the PCI DSS and their own internal policies and procedures. The system configuration should reflect what has been stated in the interviews with employees as well as the policy and procedures documents.
If these three items do not reconcile for PCI DSS controls, the organization must then determine the root cause of the discrepancy. The remediation for a non-compliant item may be quick, but the root cause analysis may determine a flaw in the security program. For example, if a policy or procedure is appropriately written, but the interview does not reconcile with the policy and the system configuration is non-compliant, the root cause may be a lack of training in the organization.
Depending on the control, an organization may be non-compliant if the interviewee cannot demonstrate competence for the appropriate control(s).
Requirement 2.2.4 requires that the systems administrators be interviewed to verify that they have knowledge of common security parameters. While this control also requires that the configuration standards and system components be examined and inspected, it is a distinct control that the interviewees be knowledgeable about security parameters. If the employees interviewed cannot demonstrate knowledge of common security parameters, the entity would not be in compliance with the Testing Procedure for 2.2.4a.
The PCI DSS uses a combination of these three items for many of the testing procedures: documentation review, interview response and configuration review. There is a fourth activity used that is an observation of a process or activity. Observations are required frequently in the PCI DSS and are used to supplement either the configuration review or interview response.
Organizations of all sizes must be prepared to demonstrate these activities for their PCI DSS compliance assessments.
It is important that staff be informed by their internal audit team or their external QSA about these testing activities and how they will be performed. Employees should be prepared for this level of effort when demonstrating compliance controls to improve the timeliness and accuracy of the compliance assessment.
Jason Likert is a Managing Consultant at SecureTrust, where Jason leads a team of information security professionals and oversees the execution of security audits, PCI compliance assessment, and other professional services engagements. Jason has been involved in the payment ecosystem as a consultant, auditor and assessor since 2005.
Prior to SecureTrust, he served eight years in the US Air Force and was Director of IT and large e-commerce and healthcare organizations. Jason holds the QSA, Certified ISO 27001 Lead Implementer and Certified ISO 27001 Lead Auditor certifications.