PCI / CISP Compliance
Background : Core Elements : Non-Compliance Risks : Warning Signs : Ongoing Changes : Next Steps : Further Reading : Self-Assessment
Next Steps...
Most companies will come in contact with an ASV (Approved Scanning Vendor). Intermediary security scans are handled by the ASV. These are the trained individuals/organizations that scan and tests for holes in your network, from the outside, as we understand it.
Audits, on the other hand, are conducted by the QSA (Qualified Security Assessor). QSA’s are trained organizations that conduct assessments and audits, typically on behalf of the acquiring banks, such as Mercury, Heartland, Paymentech, and Chase. For Level 1 providers, QSA’s are part of the typical security assessments.
The lower Tier, Level 4 (under Visa definition) will rarely see a QSA, unless they are hired or are brought in, as part of an assessment or audit. Level 4 merchants may only require an SAQ and a quarterly scan/monitoring (as mentioned above, handled by the ASV). Don’t let that fool you, this simply means you don’t know when/if you’ll get an audit. The fines apply in the same manner to merchants if they are not compliant, or as some would like to suggest, “compliant-leaning”. We would suggest you move as far toward compliance as you can afford to implement, in monetary terms and manpower procedure.
The SAQ (Self Assessment Questionnaire) basically asks, in a more detailed manner, what you’ve done to protect cardholder data. If you are not protecting this data, fines start at $50,000, as we understand. Not sure if playing Russian Roulette, in this manner is worthwhile.
Suggested path (Broad)
1. Upgrade to a router that allows for content filtering, logging,
segmentation of the network, and VPN tunneling/SSL encryption.
2. Implement a two-factor or strong authentication solution
for your site as a “must”, thus no longer allowing open ports on your
router(s). Several companies offer these
and prove the point that security is not convenient.
3. Separate out the Wireless & Public networks from the
Point of Sale Network
4. Delete (manually or automatically) all logs associated
with the storing of credit card information, especially if it is
unencrypted. Set the number of days to
hold at zero, if you can continue to operate in this manner or a very small
number, acceptable to your business.
5. Become aware of and responsible for your physical
equipment, the activity of your staff, the physical assets with cardholder
information (such as signed credit card receipts). While some stores may not have Internet
access, the responsibility for physical security for servers and unhampered
input devices (terminals) still applies. Employees with access should be cleared to the level that you can
validate their access to these records. Signed physical receipts must be kept in secure areas. The small steps you do to protect cardholder
data will save you money in the long run.
6. Establish an Internet security policy - a good starting
point:
http://www.sans.edu/resources/student_projects/200711_004.pdf
And, if you haven’t done it already, implement a
content-filtering mechanism to enforce your policy. Protect your mission-critical Point of Sale application
from spyware, viruses, and other malware - which could compromise the data and/or
make your application inoperable, both of which are risks to avoid.
1. Look to your Information Technology (I.T.) professionals
to assist you in getting to everyone’s goal, “Protecting Cardholder Data”.
Sotapop Consulting and other I.T. professionals can help
you with this project, as needed.
a. We have at least one
solution that we are testing in the area of remote monitoring and remote access.
b.
We are seeking clients
who would like to test out this and other solutions.
c.
We also can provide
assistance and advising, in your implementation phase and planning process.
d.
In case you are
audited, we can be available to assist with the auditors, on your behalf.
e.
SAQ information is
something that we can assist you in completing.
f.
Internet Security
Policy, similar to handbooks, is something that we can assist you with.
g.
Since we are a
reseller of computer products, we can sell you the necessary routers/firewalls
and token solutions that will help you down the road towards compliance.
2. Work with your merchant processing bank to determine if
they have any programs or resources to assist you in moving your organization
towards compliancy.
3. Upgrade your Point of Sale/credit card application, especially
if it does not encrypt cardholder data.
4. Plan to automate or manually delete cardholder personal
account numbers from your system. From
the PCI perspective, Personal Account Numbers (PAN’s) do not need to be stored
on your servers for any reason, according to the Payment Card Industry.
5. Find a suitable scanning vendor (ASV) which can provide
the required quarterly scans.
6. Fill out the Security Audit Questionnaire (SAQ) and get
familiar with its contents. You will be
responsible for filling this out, quarterly. Again, your I.T. professionals will be able to assist with this.
7. Begin implementation of as many items as you can with
the help of those in your organization with the resources you may have. Make sure to take into consideration not just
the cost, but the sustainability of your implementation. Some ideas are great, but take care to
understand that this process will need maintenance, not just one-time setup.
8. The penalties, as defined in this document are significant; however, some of the implementation steps may also be cost prohibitive to your business. Be reasonable and do as much as you can, taking consideration for the health of your business, as well.
Sotapop Consulting
PO Box 192061
(415) 647-0550 office
(650) 996-6241 cell
support@sotapop.org