Hooray! You’re PCI compliant! You even have a certificate to prove it. So now it’s all over right? Not quite. Even after all the sweat and tears you probably went through on this journey, I’m afraid you can’t rest on your laurels. On-site audits and self-assessments will be due soon enough and you can’t wait until the last week to make sure everything’s in place. If the last-minute approach is your attitude, then chances are you’ll fail.
PCI DSS is not an easy task and, as with the initial certification, the on-going duties are often underestimated. They key to the success of maintaining all the controls is your attitude: PCI is not a one-off box-ticking operation and every company must find the right way to integrate the PCI obligations into their business and operational procedures.
A month ago the PCI council released a new standard that includes best practices for maintaining PCI compliance. It’s not written in very easy-to-understand language, so I’m going to translate it for you, plus add some neat tips and tricks along the way. So, are you sitting comfortably?
Create a PCI DSS Steering Group
At first this might seem unnecessary, but this is the best way to set an on-going business and operational programme. How else will you formally assign roles and responsibilities to designated employees?
Depending on the structure of each organisation, the group typically consists of: a representative of the Senior Management, your Information Security/Compliance Officer, the Lead System Administrator, the Lead Network Engineer, the Lead Software Developer and your Human Resource Manager.
If you are a smaller company, the more senior employees (such as a Senior System Administrator) will probably have multiple responsibilities, or the PCI DSS Steering Group can be integrated in to your existing Information Security Steering Group.
The group will meet once per month and discuss:
- Any security incidents and compliance violations.
- Risk assessment and treatment progress. Risk assessments should be based on facts, not opinions, and performed on an on-going basis, not just once per year.
- Any changes to your scope, be they minor or significant. Any changes to your CDE must be properly documented and approved before being deployed, and everyone must be aware of them.
The Steering Group should create a yearly Compliance Plan and schedule the procedures that must be done daily, monthly, quarterly, six-monthly1 and annually, and record the employees that are responsible for each function. Let’s go through them now.
Daily procedures should include…
A review of all logs and file integrity monitoring activities from your
in-scope systems. Investigate and take actions if any anomalies are detected.
As minimum the following are required:
- Modifications on user/admin account settings.
- Successful or unsuccessful login attempts.
- Modifications to system files/firewall rules.
- Actions taken by IT/Network administrators – such as updates, deploying source code etc.
- Users/Admins access audit trails.
- A review of physical security procedures, including:
- Access control logs or a log book for areas containing in-scope systems.
- CCTV footage for areas that have systems which are in-scope.
Logs for the above must be retained for at least a year.
Monthly procedures should include…
Network scans to check for unauthorised wireless access points. Strictly speaking this only needs to be performed every quarter, but why wait three months to identify that you have a rogue wireless access device in your infrastructure? A proactive monthly scan is much more suitable.
Security updates and patches must be performed every month – and of course follow a documented change control management procedure.
Quarterly procedures should include…
Internal and external network vulnerability scans. You must use a vulnerability assessment tool to scan your components at least every three months. Make sure you start this process early in order to give yourself some time to plan and fix any issues that may be identified.
ASV scans. You must scan all of your external-facing servers every three months. Again, make sure that you start early with this process as well. The scan must be conducted by an approved vendor.
A process to remove/disable any inactive accounts and change your password at least every quarter.
Six-monthly procedures should include…
A review of your firewall and router rule sets. This is relatively straight forward, but larger companies should ideally review more often to ensure that any outdated, unnecessary or incorrect rules are removed. Don’t forget to that every change on your firewall must go through change control.
An internal audit. This is not actually a requirement but is strongly recommended because you’re about to have an on-site audit or self-assessment. An internal audit can help you identify and counteract any pitfalls you haven’t noticed before the audit/assessment. We’re all humans afterall, and sometimes we make mistakes.
Annual procedures should include…
Internal and external penetration tests, conducted by an approved penetration testing company. As well as once a year, these must also be undertaken after any significant infrastructure change or application modification, including upgrades.
Key-management reviews. You must check that practices are being followed, with additional reviews when an administrator (or other key holder) leaves the company.
A formal risk-assessment process to identify threats and vulnerabilities. In addition to this, risk assessments must be conducted to reflect any changes within your company, and when a new risk is identified.
Incident response exercises. This one catches a few people out, but is an important part of the PCI DSS standard: make sure that your staff can respond to the various situations described in your risk assessment procedure.
Security awareness training, which must be delivered at least once a year and whenever a new employee starts. It is good practice to have regular security training for all employees, not just those interacting with the CDE.
A review of the written agreement with your service provider that outlines the roles and responsibilities. This is crucial to your own PCI compliance status and covers which requirements are covered by which party and which are of shared responsibility.
A complete information security policy review. This requires employees to acknowledge that they have read and understood your company’s security policies and procedures.
Means to an end
The most important thing is to strike the right balance and fit your on-going compliance needs into your company’s culture. You must be confident enough to change the way you are already working if required: “But that’s the way we’ve always done things” is no excuse for poor security or non-compliance. All this might seem a bit daunting at first, but it just needs some time for people to digest these procedures and for the security ethos to be embedded in the company culture. As time goes on, your efforts will be rewarded by simpler and easier audits and an inherently more controlled and secure environment. And when all is said and done, that’s the most important thing.