6 Ways to Deal with the Magnitude of PCI DSS
Posted by David Gamey on 19 Jul 2021.
Are you new to PCI DSS? Perhaps you need to refresh your approach? If so, this article breaks down 6 strategies that will help you eat the proverbial elephant. PCI DSS has been around for 15+ years and over that time it’s evolved, matured, and grown. It applies to all ‘entities’ that store, process, or transmit cardholder data. It will be familiar to large merchants, payment processors, acquiring banks, and organizations providing third-party services. Still, there are lots of organizations and people that the DSS may be new to. If you’re amongst them, your first impressions of the standard may be that it’s large, cumbersome, not fit to your business, and may prove impossible to implement. In short, you’re very likely to be overwhelmed and think the regulators are trampling your picnic.
The first thing you need to realize, is that you are contractually bound to be compliant and you likely have been for years. All PCI card brands (American Express, Discover, JCB, MasterCard, and Visa) have long had contract language that requires you to conform to their rules or operating regulations which includes being PCI DSS compliant at all times. So if you are non-compliant you’re technically in breach of contract. The second thing to realize, is that validation of compliance has nothing to do with the requirement to be compliant. Just because you haven’t been asked to demonstrate compliance doesn’t mean you get a free pass.
Who gets asked to validate compliance is up to the individual card brands which consider factors like numbers of cards handled, risk, type of business, etc. The brands tend to focus more on volumes of cards rather than transaction values because they are concerned about fraud committed using stolen accounts. Also, not everyone gets asked to validate the same way. There are self assessment approaches for small merchants and entities. There are also rigorous third-party “onsite” assessments for larger ones and companies providing services to many entities. There are even special “forensic audits” for organizations unfortunate to have experience a breach. Any organization can be asked for formal validation at the discretion of the card brands. The brands will work with organizations that fall short; however, they require remediation plans with measurable progress. Yes, it may be a difficult journey but it isn’t impossible.
The overwhelming sticker shock part of PCI happens when you transition from no assessment or self-assessing to full “onsite” assessments. It can also happen if you start to take PCI very seriously and dig into those questions you’ve been checking off as in-place.
So if any of this feels familiar, sit, take a breath, and review these strategies.
1. Make sure you have senior management support
The road to PCI compliance is often long and bumpy. You’ll need supportive and understanding management to get there and stay there. PCI isn’t an IT or audit problem, if management asks IT to protect what you do today, you may not like the bill. The most effective approaches will require you to consider changes to business processes.
2. Find and document your scope
PCI DSS is all about scope. The single most important thing you need to be absolutely certain of is your scope. Getting this wrong means that you are either wasting resources measuring compliance on things you don’t need to, or you have overlooked your responsibilities and may be headed for a failing assessment or a breach. You will need to look not only at IT but your business processes as well. Where and how you received card holder data, how it flows through your organization, what technologies it touches, what third parties you share the data with, and how all of this is supported and secured. You will need to follow the data flows from the time it leaves the cardholder to when it leaves your organizations, understand the demarcations of when it becomes your responsibility, understand the types of technologies involved and what compliance implications these have. Make sure you look not only at regular processes but consider special cases and circumstances, temporary or infrequent use cases, etc. And if you aren’t already familiar with PCI and payment terminology, you will need to review it as many of the terms may seem arcane are have nuances that can have significant implications.
3. Determine your applicable requirements (i.e. footprints)
Once you’ve determined who and what is in scope, it’s time to figure out which requirements apply to which components, in which flows, and how all these interact with each other. This is sometimes referred to as determining your “applicability” or your “compliance footprint”. One key to understanding this, is that every PCI requirement may not apply in all scenarios. A requirement that doesn’t apply, can be validated as N/A provided that answer can be justified. Examples, of reduced footprints are describe below. The easiest place to see these footprints is to look at the variety of current Self-Assessment Questionnaire (SAQ) documents tailored to common scenarios.
- Entities that don’t store full cardholder data (PAN) can avoid encryption key management for stored cards or logging of card access
- Entities where staff can’t read stored data can avoid password requirements for staff such as cashiers that only see cards one at a time as they are presented for payment. System administrators and security staff still need these controls.
- Stand-alone payment terminals with PTS approvals can avoid many of the controls that normally apply to servers and POS systems that see the card data.
- P2PE (Point-to-point-encryption) approved solutions avoid the vast majority of PCI’s requirements.
- Some acquirers support payment terminal solutions with smaller footprints such as unlisted P2PE (sometimes called End-to-end-encryption or E2EE), as well as certain semi-integrated and stand-alone solutions.
- Ecommerce shopping carts that redirect or use IFRAMEs to send card data to a compliant third party can also avoid a large number of requirements.
- Outsourcing payment operations to a compliant provider reduces the requirements to a handful intended to establish and maintain due diligence.
4. Find and exploit ways to simplify your compliance through de-scoping and reducing applicability
Just because you have been doing things a certain way, doesn’t mean it’s the best way. Many organizations have operational practices that are historical and haven’t been revisited in years. Worse they may be based on information that either has become or was always incorrect. Re-examining these with business units can identify opportunities for simplification and savings. For example:
- Storage of cardholder data may not be a business requirement. Not storing data can reduce your footprint. Alternatives include outsourcing storage, using P2PE terminals, tokenization, and other methods can be used to avoid the costs and implications of storing and encrypting card data.
- Different e-commerce scenarios have different footprints. Very small footprints can be achieved with redirection or IFRAME designs. If you’re using an API based design and receiving data or using direct post forms there is a potential for great simplification and savings.
- Segment large networks to contain your control environment and costs. Many organizations have large connected networks. Without isolation controls, a few systems that process card data can drag the entire network into scope. Controls become mandated making risk based decisions more complex and increasing the likelihood of initial and ongoing compliance challenges.
- Going old school. Some newer technologies are more complex to make compliant than some traditional methods. For low volume and outlier processes, low tech may be a better bet. Examples include: analog telephones & fax, and physical storage of paper records.
You will need to engage with a variety of groups within the business and get them to look at the alternatives. You may also need to overcome some tightly held objections. It isn’t uncommon for some of these objections to be based on misconceptions. Accounting teams that believe the banks require you to store the full card, e-commerce teams that believe they can’t control the user experience using IFRAMEs, etc. Use these opportunities to develop remediation strategies.
5. Identify gaps, establish and follow a roadmap
Use your footprints to perform a gap assessment. Prioritize high risk areas and to make ongoing operations compliant. Circle back and clean up legacy data and similar issues. Use scope reduction strategies to simplify remediation and ongoing compliance efforts. Set attainable and measurable goals. Then implement your controls.
Don’t forget complex or tricky issues even if they are low risk. If anything, they become more awkward to deal with the closer you get to being compliant. If you need help get informed outside advise such as from a QSA.
6. Monitor changes to the business, your scope, and your compliance
Whether you are getting compliant or staying that way, you need to monitor yourself to stay on course. Not only are there many challenges that can get in the way of attaining compliance, it’s surprisingly easy to fall out of compliance. Things you should be looking at:
- Are you making progress against the roadmap?
- Have all design and implementation changes in new or existing systems be considered impacts to PCI compliance?
- Are new business or technology initiatives staying compliant? For example, your VoIP upgrade may promise productivity improvements and massive cost savings but did you consider how much you will have to pay back for compliance for a handful of transactions a day.
- Are you keeping up with the evolution of the standard? PCI DSS moves slowly, but it does move. And when it does, some of the changes are significant. Even allowing for transition and phase in periods, new requirements force adjustments. If you’re not keeping an eye out, you could end up getting blindsided.
PCI DSS can be big and complicated with many moving parts, but it is essentially an open book exam. They key to success is properly preparing for it, knowing your environment, being able to explain yourself, showing what you’ve accomplished, and keeping records to prove you’ve been doing it right all along.
- Understanding "Connected-to" - Is The Internet In Scope For PCI DSS? https://controlgap.com/blog/connected-to-pci
- PCI Compliance Footprints: 7 Ways To Simplify Compliance, Reduce Risk And Save Money https://controlgap.com/blog/pci-compliance-footprints
- Index of every PCI FAQ https://controlgap.com/index-pci-frequently-asked-questions/
- What Is Cardholder Data In PCI Compliance? https://controlgap.com/blog/what-is-cardholder-data-pci-compliance
- What Is Sensitive Authentication Data in PCI Compliance? https://controlgap.com/blog/sensitive-authentication-data
- What Is The Difference Between Masking And Truncation In PCI Compliance? https://controlgap.com/blog/masking-and-truncation-in-pci-compliance
- A PCI Glossary https://www.pcisecuritystandards.org/documents/PCIDSSGlossary_v3-2.pdf
- PCI Guidance documents (e.g. Telephony, Virtualization, Multi-Factor Authentication Guidance, Best Practices for Securing E-commerce, and much more ) at https://www.pcisecuritystandards.org/document_library and filter on “Guidance Documents”
- What do we know so far about what’s coming in PCI DSSv4 https://controlgap.com/blog/PCI-DSSv4-is-Coming