As a Qualified Security Assessor (QSA) who has worked with many large organizations, I always recommend reviewing the Information Supplement Guide for Large Organizations as provided by the Payment Card Industry Security Standards Council (PCI SSC). The information supplement for large organizations came out early in 2020 and was created by the Large Organizations Special Interest Group.
The large organization supplement takes PCI DSS compliance from the viewpoint of a large firm, but they do state any organization can use the information found in it.
Roles, Responsibilities, and Ownership of PCI DSS Functions
Large organizations typically have a large number of people on staff. The information supplement breaks down the common roles/teams seen in a PCI DSS compliance program from the executive sponsor at the top, to the individual staff who act as subject matter experts. Determine who the person is that can own or speak to a given requirement in the PCI DSS and document it in a tracking spreadsheet. Note: it may not be the same person, the owner does not necessarily know everything about the payment channel. The information supplement suggests using RACI (Responsible, Accountable, Consulted, Informed) functions to determine ownership, roles, and responsibilities.
The PCI DSS has an executive summary section at the beginning of the standard that goes into detail concerning business as usual processes. What this refers to is making PCI DSS compliance a business as usual process and not a place in time initiative. A large corporation should make a path whereby they integrate compliance into all internal processes and get away from the ramp-up/assessment/stand-down posture which is expensive in the long run because internal teams are interrupted from what they were doing to get the systems ready for the assessment. I have seen this work in very large organizations when teamed with standardization. Using both techniques, the large firm can then build resource plans that better utilize teams for enhanced efficiency.
Mergers and Acquisitions
The information supplement includes this section because large corporations are typically built from mergers and acquisitions. What they suggest is to practice due diligence prior to the purchase to fully understand what the combined organization will look like from a PCI DSS perspective. For instance, if one retail firm buys another retail firm, the Merchant IDs from the company being bought will come along with it. Do you change the MID in the payment terminals, or do you keep the old one? These are decisions that need to be made and acted upon. Are the systems the same? What about the PCI DSS compliance of the company being bought? It’s better to know you are going to have to spend money on remediation of a non-compliant firm prior to discovering it through a non-compliant Report on Compliance (RoC) in the assessment process.
Managing Acquirers and Payment Channels
As a follow-on to the mergers and acquisitions, large firms usually have multiple payment channels, possibly multiple acquirers, and probably multiple third-party service providers. The information supplement makes some good suggestions on how to manage compliance agreements and the necessary reporting when there are multiple channels. Where a large firm has a hybrid compliance posture, with multiple RoCs, the coordination of multiple assessments will be necessary. Working with the acquirer on what they expect is a key success factor. From experience, my suggestion is that you strive for simplicity, and get to one “standard” way no matter if it came from the other firm or your firm. Having multiple systems that perform the same function means more resources used to support the environment and that means the benefits of merging are not realized.
Education and Awareness
Determining the best way to train your employees in a large organization can be a herculean task depending on the number of employees you have. The information supplement has some suggestions related to tailoring the training to the job function, which can help narrow the content and methods of delivery, but ultimately, you need to be able to track who has been given the training and nag those who have not. All of my large clients have a large number of employees, so they have some form of learning management system that makes the employee aware that they need training, delivers the content, and captures the completion along with annual policy acknowledgement for requirement 12.6. It simply will not work using manual methods for training compliance in a large firm. The sheer number of resources burned in pursuit of the process will more than justify a tool purchase. But, if you only have a small number of employees, you may be able to track training through simple means like a spreadsheet. Another thing to look at is what your other outside regulatory bodies require for training evidence; that could drive the way you deliver content too.
Systems Management to Maintain PCI DSS Compliance
In my opinion, this hits the heart of the issues that a large firm would experience. With a large company, comes difficulty with managing many diverse hardware and software products. The information supplement breaks this down into asset management, systems hardening, access control, vulnerability assessment and patch management.
Scope is what you live and die by in PCI DSS, and other regulatory compliance. When you get above a critical threshold of systems the management of an inventory can turn into a full-time job. The problem is exacerbated if you have a very active development shop that are making changes constantly. What I see in practice is firms know their PCI DSS in-scope assets very well because they are manually tracking them in a spreadsheet, but their not-in-scope systems are tracked via asset tags that fall under a different team in the firm. Being a firm believer in “do it once” I feel that large firms should extend their asset tracking systems to incorporate the ability to track in-scope assets. There should be additional detail necessary for PCI DSS, or any other compliance effort because let us face it, all the asset tracking needs are similar.
The information supplement discusses methods to ensure systems hardening is applied and monitored, no matter what the underlying asset is. In practice, I see this is where standardization is your lifesaver. With one-off systems comes additional resources to manage the system. Firms with dozens of different systems, which evolved over time, must keep up with each one to make sure its compliant to the build standards, which takes resources. In a way, I have seen this as a side benefit of migration to cloud providers, because you can typically only pick a small/medium/large system off the list, which keeps the uniqueness down and helps standardize environments.
With the proliferation of Active Directory, most large corporations have standardized this function in the past and extended it to non-Windows environments too. The information supplement suggests creating a separate domain for the CDE, which is a smart idea, but you need to be careful about your trust relationships to protect yourself from an insider threat, and to make sure you keep your development/test world separated from your production world.
Knowing which assets to test as part of your vulnerability assessment program is another benefit from a strong asset inventory system. The information supplement suggests that the asset management system and the vulnerability scanning system be integrated together, to automate discovery and testing, but in practice I have not seen that happen yet. As our industry wide maturity improves with time, I suspect we will be driven to that kind of integration simply as a product of becoming more efficient. For those of you who have integrated the asset tracking system with your vulnerability management scanning, congratulations you are ahead of the curve.
I have seen two scenarios in patch management. One is where each individual system is periodically patched by the system administrator on a schedule. The other is where a centralized patch management system keeps up with external patches, knows which systems need a given patch, and can push the patches based on rules to minimize the interruption to production. Which one would you want? Automation is a no brainer here, but the cost can be a hard pill to swallow. The key-take away is that you may not have much of a choice in a large firm simply due to the resources required to keep the administrator driven process in place.
Multiple Audits and Assessment
The information supplement goes into detail on managing and coordinating multiple assessments. There is a balancing act that takes place between the large merchant entity and their acquirer related to how to structure the assessments across the organization. I have seen firms with as many as 20 RoCs, each one being a compartmentalized piece of the company and I have seen firms with one seriously big RoC that covers a lot of operations. The decision is based on merchant IDs. The key point in how you break down the assessments can have a huge impact on your resources. I tell people to treat the assessment like a project that is part of an overarching compliance program. Plan your assessments accordingly, especially your resource requirements, and do not forget to include your acquirer in that decision making. They have expectations that need to be considered and they will work with you to set up the optimal mix of RoCs and what you can deliver.
Laws, Regulations, and Standards
This portion of the information supplement dives into non-financial regulations and additional standards/frameworks. The information supplement makes a point of the benefits of standardization through adoption of external frameworks such as National Institute of Standards and Technology, Information Technology Infrastructure Library or International Standards Organization, which should be obvious. A key point comes into play for a large corporation is that some additional regulations may not apply to smaller firms. For instance, in the California Consumer Privacy Act (CCPA), there is an applicability of the act to companies that make over $25M in revenue. The regulations will apply to large firms and compete for internal resources to address the compliance activities. As stated above, make these compliance efforts a project and assign project management techniques to them to balance your resources for optimal performance.
I hope I’ve sparked your interest to pull down the large organization information supplement from the PCI SSC website. It is a helpful document that will give you some great ideas to apply in your organization, and can help you plan if you dream big and project your company will be a much larger firm in the future. Look for our next blog entry where I’ll review the small merchant documentation found on the PCI SSC website. Until then, stay safe!
SecureTrust, a Trustwave division, leads the industry in innovation and processes for achieving and maintaining compliance and security. SecureTrust delivers world-class consulting, compliance and risk assessment services and solutions for the enterprise market as well as tailored merchant risk management programs and solutions for merchant program sponsors around the globe.
CLICK HERE to contact us for all Enterprise Compliance, Merchant Risk Management and Compliance Technology needs.
Drew Cathey has been a member of the SecureTrust team for five years and has been in IT for 35 years. Coming from a background in telecommunications IT operations, he has held positions in engineering, project management and IT security. Drew holds degrees in biology, engineering and an MBA in Information Technology management along with PMP, CISSP, CISA and QSA certifications. He resides in St. Petersburg, FL with his two children and enjoys running, bicycling and tennis.