Gathering Evidence & Testing Your Controls For PCI DSS

PCI-DSS

It isn’t easy to comply with the Payment Card Industry Data Security Standard (PCI DSS). A Verizon report published in 2017 indicates that 80% of companies fail to adhere to this standard. Similarly, only 29% of companies that successfully undertake PCI DSS compliance assessments will still be compliant one year down the line.

Just like information security in general, PCI DSS compliance isn’t a one-off process. To stay compliant in the long run, your organization needs to be vigilant at all times. You have to keep in mind the fact that compliance is mandatory if your organization wishes to stay in business. Failure to comply can attract heavy and sometimes crippling penalties. Nonetheless, this shouldn’t be a source of worry.

With professional planning and preparation, it’s easy to obtain the much-coveted Attestation of Compliance (AOC) or Report on Compliance (ROC) certifications with relative ease. Before each PCI DSS self-assessment or audit exercise, you should test all controls around your organization’s cardholder data environment (CDE). This way, it will be easy for you to remediate any issues besides collecting evidence that all security policies that you have in place are working as they should.

Here are some strategies that can help you stay in the realm of PCI DSS compliance:

  • Regular testing of security controls and organizational system.
  • On-site annual  assessments and audits
  • Quarterly scanning of your systems by Approved Scan Vendors (ASVs)
  • Proper documentation of your organization’s activities, procedures, and policies that involve the storage, processing, and transmission of cardholder data or credit card information
  • Adequate documentation of your enterprise’s controls and systems testing.

Once the practices as mentioned earlier have been adhered to, you should present the assessment results as well as any other relevant evidence relating to your PCI compliance effort to the Qualified Security Assessor (QSA). Otherwise, your enterprise may face:

  • Huge audit bills since an auditor will have to administer the tests and collect evidence
  • Costly non-compliance fines, especially if you fail your self-assessment or audit. In this case, testing and remediation will undoubtedly increase your chances of getting your validation or Record of Compliance
  • The loss of your organization’s ability to accept and process credit card payments. This can be a crippling blow to your business operations.

Even if you’ve run these tests previously, there’s a need to move them again before each audit. Whatever evidence you provide to prove your PCI DSS compliance needs to be current.

Why is PCI DSS important?

PCI DSS requirements were established by the PCI Security Standards Council (PCI SSC). This is an association that is headed by credit card companies such as Mastercard, Discover, Visa, American Express, and JCB. PCI DSS are security standards, which all service providers and merchants must adhere to before they are allowed to process credit card data.

These requirements aim to secure cardholder and credit card data from breaches. The acquiring banks (financial institutions that handle and process credit card transactions) often demand compliance from merchants as well as entities that provide certain services to the merchants. PCI DSS requirements are quite stringent. Therefore, organizations can only adhere to them if they regularly test the security of their payment systems.

How to Test Controls and Gather Evidence

Generally, the controls that you are required to test must gravitate around the security of your whole payment card transaction network. This includes the point-of-sale system, where and how information is stored, the applications that process payment information, and how sensitive customer and company data is encrypted.

Risk assessment can provide a crucial basis for PCI DSS compliance. Once you assess risks that your organization faces as a whole, it will be easier for you to establish a secure environment for cardholder and credit card data protection. This highlights the significance of ensuring that the assessment mainly addresses credit card data risks. In addition, remediation must be documented.

There are 281 PCI DSS requirements, and they fall under 12 categories. All of them prescribe how you can put in place controls that your organization requires to comply with the PCI DSS framework. On the other hand, the directives address encryption by, for instance, specifying what network segmentation is, and how you should undertake security awareness training.

Segmentation testing also needs to be undertaken. This should be done annually, especially if your organization segments all its CDE from its network. The goal of segmentation testing is to ensure that CDE systems are isolated from those that might be out of scope.

It is advisable that you get help whenever you feel lost in your PCI DSS compliance journey. Staying on track can be tricky since it takes at least two years for big companies and more time for smaller companies. If you are using old-fashioned spreadsheets to track all directives and your compliance, you’re doing it the wrong way.