Kurt Hagerman, Chief Information Security Officer, FireHost -
Businesses and retailers handling cardholder and finance data face a number of compliance challenges, which often include strict and time-consuming data protection regulations. PCI 3.0, the latest manifestation of these regulations, became effective this year, with companies required to meet the new rules by their 2015 audit.
The steps needed to meet the latest PCI requirements may seem daunting but the trick is to start early and adopt a proactive approach. Indeed, many businesses have already started making preparations to ensure they’re compliant in time for their 2015 audit.
For small to medium-sized businesses, the process of achieving PCI 3.0 compliance is a wholly different proposition to that faced by larger enterprise brands. Consider that compliance can be a burden for enterprises which have the staff, budget and resources to dedicate to the task, and it becomes clear why smaller businesses face some unique challenges. Payment card security is about more than passing audits; it’s about being part of a larger risk management and security programme that can help defeat the sophisticated cybercriminals who are locked on to stealing card data. If well resourced giants like Target and Neiman Marcus can suffer breaches, no company is immune.
This is especially true for businesses that lack the deep budgets and on-staff security expertise of larger firms. These companies need help in understanding both the risk of non-compliance and the PCI standards they must meet and an effective way to tackle the upcoming operational and technical changes is by following a timeline starting a year before an audit and working backwards.
It should look something like the below, although every business will have challenges unique to them and will be able to put additional tasks into this skeleton template:
12 months out: Companies should engage their QSA, or find one, and have them explain the changes in 3.0 and how they will impact their organisation. Identify issues that may take longer to resolve and begin integrating PCI compliance into daily operations. They should define their cardholder data environment (CDE) and consider taking steps to limit the scope of their CDE. When defining the CDE remember that it’s about people, processes and technology. Key elements for defining the CDE include: defining where cardholder data resides and demonstrating that it only resides in these locations; create network and data flow diagrams; assemble a detailed inventory of all systems and applications; detail all segmentation methods used and evaluate what third parties are doing.
9 months out: Small and medium sized merchants want to stay away from cardholder data but those who must should do cardholder data searches across their entire environment, fully document the CDE and have a ‘penetration test’ done to validate their CDE boundaries.
6 months out: At this stage in the process, only half a year away from the audit, it’s vital that businesses review and update their documentation to meet the 3.0 requirements.
3 months out: Nearly there now, and time to perform a thorough pre-assessment to identify any final needs. There will almost certainly be gaps and starting early (three months out) ensures businesses have the time to address them in time for their 2015 audits.
In addition to the above, there are also a number of issues that need to be addressed in order to achieve compliance, which may not fit in to an allotted timeframe. For instance:
Building a culture of compliance: Compliance is no longer an annual task, but a daily business-as-usual part of the workplace. For many organisations, that could mean educating staff, partners and leadership about their roles in payment card security.
Outsourcing: Smaller merchants should consider options that reduce or eliminate the amount of cardholder data they work with. The right third-party provider can lighten the compliance burden and help achieve smoother, faster audits. Be sure to work with validated providers that successfully pass their own assessments, and get all responsibilities spelled out in contracts. Also consider outsourcing alternatives like payment gateways or processors that offer host capture and tokenisation options, which can actually remove cardholder data from systems to P2PE (point to point encryption) for card present (POS) transactions.
And there it is: a simple roadmap to 3.0 compliance. The truth is, any retailer can get compliant in time for their 2015 audit. And while that will be an important focus this year, it’s important to remember the bigger picture: getting ready for PCI DSS 3.0 shouldn’t take the place of putting together a larger security and risk management programme. Compliance does not equal security and security programmes should be built on best practices and assessment of risk. If retailers put the emphasis on security and make compliance a reporting function of that programme, they have a better chance of keeping cyber-attacks at bay.