Open Mobile Menu

Blog

This is Part 3 in a 4-part series exploring how to ensure readiness for a PCI assessment, and how to avoid issues that can cause delays and additional costs.

In Part 1, we discussed:

  • The need for upper-management commitment
  • Definitions of Merchants and Service Providers
  • Who might be asking for proof of PCI compliance
  • Determination of Merchant or Service Provider level
  • Available PCI compliance validation options

In Part 2, we discussed:

  • Business Organization
  • How cardholder data (CHD) is handled
  • Scope of the PCI assessment

In Part 3, we discuss time and personnel considerations.

Am I Allowing Enough Time For My Assessment?

Organizations, especially those performing a first-time assessment, frequently do not allow enough time to understand their PCI compliance responsibilities thoroughly, or to complete all of the assessment activities.

The reality is obtaining PCI compliance can be a complex undertaking. We have not even begun discussing the actual activities involved in validating compliance, and previous articles have already shown that a significant time investment is required to understand the environment, organization, and scope.

Availability of personnel resources is usually limited. Often, the same personnel that are handling day-to-day operations are responsible for attending interviews, obtaining or creating evidence, and performing remediation activities throughout the engagement. An average Report on Compliance (ROC) takes anywhere from four to eight weeks, and some self-assessments may take an equal amount of time. Careful consideration and planning before the engagement begins is critical. 

Have I Considered Personnel Responsibilities?

Without good organization, things can fall through the cracks during an assessment. It’s important that these responsibilities are understood from the outset. A number of different areas of responsibility exist:

  • Scoping/overall responsibility

    Service Providers are required to define a PCI Charter for their PCI DSS compliance program, and it must include executive management assignment of overall responsibility for maintaining PCI DSS compliance, and how the PCI DSS compliance program is organized and communicated to Executive Management. 

    For larger Merchant organizations, having this sort of PCI Charter may be a good idea, or it might mean creating an oversight committee. There may also be dedicated compliance personnel who are familiar with other regulatory compliance efforts that may be enlisted.

    For smaller organizations, overall PCI compliance responsibility ultimately resides with executive management.
    For all organizations, as discussed in previous articles, it’s extremely important to communicate the importance of PCI compliance throughout the organization.
     
  • Interacting with business units/requesting evidence

    Ideally, compliance personnel dedicated to PCI would occupy this role. Lacking that, it should be clearly defined who will be scheduling meetings, requesting interviews, and requesting evidence from the business units involved in the assessment. We recommend communicating this to business units in advance, and that the communication directs the business units to cooperate with the requests for interviews and evidence, and provide responses to those requests in a timely manner.

    Additionally, understand that whomever has this responsibility will put in as much time, if not more, than the QSA engaged for the assessment. Including this time in scheduling, workload, and budgeting for the engagement is critical. AppSec Consulting sees too many instances where inadequate availability of this point-of-contact resource leads to delays.
     
  • Tracking

    There are numerous items to track including meeting and interview scheduling, evidence requested, received, reviewed, and submitted to the QSA, outstanding items needed for the compliance of any particular requirement, and the status of remediation activities for those items found to be non-compliant.

    A QSA can help with tracking tools. It is also helpful to institute processes separate from the QSA, as a means of providing checks and balances. If commercial GRC (Governance, Risk, and Compliance) tools are available, they may be valuable in this effort. Where they are not available, create spreadsheets that show all the applicable requirements, and their status throughout the assessment.

    Most often, the personnel assigned the interaction and evidence request responsibilities above are responsible for tracking the compliance status.  
     
  • Interviewing

    Many PCI requirements require interviews with personnel with expertise in various areas. In smaller organizations, this may be only a few people. In larger organizations, there may be multiple personnel needed to address specific portions of their areas. The converse may also be true. For example, a single IT organization might provide authentication services to multiple business units or applications. Interviews most often address documentation and execution of different processes.

    It is helpful to communicate the expected discussion topics to the business units before the interviews, so they have time to consider which personnel should be present. If there are questions regarding the interview topics, discuss it with the QSA before scheduling the interview.
     
  • Providing and/or creating evidence

    Regardless of the environment, organization, scope, or validation documentation required for any particular assessment, there is evidence that needs to be supplied. Slightly over 50% of PCI requirements are documentation related!

    Most often, the personnel that are interviewed are also asked to provide evidence. Depending on the type of assessment, it can be a lot of evidence. Types of evidence that are requested can include:
    • Documents including network and data-flow diagrams, processes, configuration standards, industry standards, vendor manuals and patch lists, software development, change management, role definitions, physical security, inventories, vulnerability management, risk management, vendor management, training, incident response, and policies
    • Configuration exports from firewalls, other network devices, servers, workstations, and appliances
    • User lists for all facilities, system components, and applications
    • Logs from samples of system components
    • Change records from infrastructure and applications
    • Screen-shots from ‘shoulder-surfing’ activities where the assessor is required to conduct observations
    • Data captures
    • Exports of production, test, and development databases
    • Vulnerability, risk, and incident activities results
    • HR activities including background checks and user termination lists

    It is important that personnel are aware that they are responsible for obtaining and providing the necessary evidence. In some cases, they may be required to create evidence. For example, creating a policy or procedure that does not currently exist.

    Communicate the time allowed for assembling the requested evidence. Document and track the status of each request, and report the status to those responsible for overall compliance. Promptly escalate the status of delayed evidence request submission to ensure that these requests receive
    appropriate priority, and to avoid any additional costs.

    Most often, the personnel that must obtain or create this evidence are also responsible for parts of the day-to-day operations of the organization. Sufficient time and planning should be given to ensure that no delays are encountered.
     
  • Reviewing evidence

    You might think this is easy – the QSA is the one that reviews the evidence, right? However, we consistently run into situations where the evidence supplied is insufficient, and is rejected. A good QSA will provide recommendations for correcting the evidence, but it is an unnecessary cycle of evidence re-submission.

    In fact, even though it is another step in the process, reviewing the evidence internally prior to submission to the QSA is actually more efficient and speeds up the validation process. Ideally, this would be done by personnel that are very familiar with PCI compliance. If no such dedicated personnel exist, a peer review can be conducted. The most important question to consider is whether the supplied evidence provides enough information to satisfy the requirement involved.

    If there are questions about what is required, consult the QSA before requesting the evidence to avoid re-work. 
     
  • Performing remediation tasks

    Again, it’s very likely that the same personnel asked to sit in interviews, and provide or create evidence, are the ones performing day-to-day operational tasks.

    Communicate the time allowed for completion of remediation activities to the personnel performing the activities. Document and track the status of each activity, and report the status to those responsible for overall compliance. Promptly escalate the status of all remediation activities that might result in significant delays to ensure that these efforts receive appropriate priority, and to avoid any additional costs.  

How Can AppSec Consulting Help?

Our Qualified Security Assessors (QSAs) leverage AppSec Consulting’s proven methodologies. Their many years of security, IT, development, and PCI auditing experience ensures that whatever your goals, the outcome is exactly what you need and makes strategic sense for your business. Whether you’ve been asked by your bank “to comply with PCI”, or preparing for your first validation with a Report on Compliance (ROC), gearing up for annual re-validation, or would just like to know what the PCI DSS mean to your business, our team of experts are there to help.

More information can be found at www.appsecconsulting.com, or call us at 408-224-1110

Chip Ross

Chip came up through the ranks of Information Technology, beginning as a contract Desktop Field Engineer in 1997. His career evolution included leading the Desktop Operations team at Northwest Airlines, including day-to-day work direction for a team of 14 packagers and maintaining communication with upper management regarding desktop operations. In 2006, he transitioned to Information Security and delivered compliant merchant RoCs for 2007 – 2010, including the year of the Northwest/Delta merger.

Chip moved to Carlson in 2010 and continued delivering compliant Service Provider and Merchant RoCs from 2010 – 2012 as a Carlson-sponsored ISA. During that time, Chip also conducted many assessments at Carlson hotel and restaurant franchisees, providing on-the-ground guidance to the smaller merchants that make up a large portion of Carlson’s organization. Chip joined United Health Group as a sponsored ISA in early 2013, to provide guidance, tracking and reporting on the PCI efforts for the various teams and business units there.

Drawing on his experience, leading, participating, tracking and reporting on many remediation projects, Chip helps clients achieve their compliance goals through scope reduction, process improvement, and strategic technology integration. Chip’s broad background and extensive PCI experience with large corporations enables him to be comfortable working with client personnel anywhere from the data center to the board room, ensuring that AppSec Consulting’s clients receive thorough, top-quality consultation and assistance.

read more articles by Chip Ross