Thursday, April 22, 2010

Understanding the PCI:DSS - Not Just Complying with It

Upon the establishment of the Payment Card Industry's Data Security Standards (PCI:DSS), many relegated the PCI:DSS to a derivative of the ISO standards and just another "tick in the box" of international standards, without much staying or enforcing power. The PCI:DSS, have since grown and taken on a significant role in the evolution and enforcement of real information security standards within organizations around the globe, and have even expanded to include the Payment Application Data Security Standards (PA-DSS) requiring software developers and vendors to comply with a high level of application security standards.

These standards now represent an integral part of information security practices, and have even instigated a true change by mandating the integration of best practices in data security in organizations of all sizes and types that store, transmit, or process prohibited credit cardholder data such as a full magnetic stripes, CVV2s or PIN data.

In addition, the instituting of the PA-DSS places a whole new emphasis and importance on the development of secure code by software vendors – and the maintenance of a secure software development lifecycle. While companies around the globe have all taken on the challenge of PCI compliance, at times requiring large-scale and pan-organizational information security changes within large networks/infrastructure, many companies still find themselves “in the dark” about the actual requirements themselves.

Because of the complex nature of the PCI:DSS and the PA-DSS, the QSA/PA-QSA, needs to have an in-depth understanding of the standard, including all of the intricacies involved, to enable a pragmatic approach and a tailoring of the technological, procedural, and administrative controls to your organization's needs. A QSA/PA-QSA that brings with them experience and expertise in the area of PCI and PA-DSS certification, will be able to recommend the necessary measures for your company, and to distinguish between the most relevant and applicable requirements as they apply to your company's internal business flow. Your organization will then be confident when integrating the QSA/PA-QSA's professional recommentations knowing that these are the most cost-effective, and critical requirements for your organization's compliance with the PCI and PA-DSS.

With much experience under our belt with these compliance processes, Comsec is able to provide a few guidelines on the most prevalent issues and “grey areas” encountered in the different PCI processes by different sized organizations, to facilitate what is sometimes perceived as a complex and resource-draining process:

Don't be afraid of the standard! Know the most important stipulations of the standard, to be able to maintain an ongoing dialogue with your QSA/PA-QSA regarding the solutions that are best-suited for your organization, as only you possess the in-depth knowledge about your internal business processes that are unique to your organization, and can suggest the methods of operation that are most appropriate for your company, contributing to the feeling of involvement and a level of control of your compliance process.

• Be aware of wherein the pitfalls lie for diverse technologies from legacy systems through Web-based platforms, and the possible constraints they may pose with regards to complying with this standard.

• Correct scoping of your CHD environment is imperative to prevent the inclusion of unnecessary systems in the compliance process. When properly done, this scoping and will in essence reduce the timeframe for compliance and efforts that need to be invested to ensure all of the systems and network comply with the PCI standards.

• Assessing the added value of storing sensitive cardholder data in different systems, may lead to potentially de-scoping systems that do not require the storage of sensitive CHD for ongoing business processes, significantly reducing the number of systems required to be in compliance with the standards and streamlining the overall compliance process.

• There are "quick wins" available to organizations, that may be less known, that make the compliance process much more friendly and attainable. For example:
o Tokenization
o Encryption
o Hashing
o Truncation

Being informed about the different solutions available to your organization, will enable you to take the initiative in suggesting the appropriate solution to your QSA.

• There are many solutions available for the outsourcing of parts of the clearing/payment process. These solutions many times serve to greatly facilitate the compliance process for many organizations.

• The implementation of best practices in secure coding will facilitate the PA-DSS compliance process, as security consideration will have already been taken into account in the development process.

• Be familiar with the different technological solutions involved in the compliance process (e.g. purchasing a web application firewall, or performing code review), and assess which solutions are best-suited for your organization—and are the quickest and most effective to implement.

When it comes down to it, many parts of the PCI and PA-DSS standards are subject to the human interpretation of the QSA/PA-QSA. Complying with the PCI standards does not have to be complicated and time-consuming process for organizations, and knowing the different options available to you, can help in correctly mapping the compliance process and making the correct decisions at the different junctures in the process.

It is also important to bear in mind that these standards serve the purpose of protecting your organization against the many malicious entities who will invest inordinate resources to obtain your clients' sensitive personal information. Complying with these standards will help your organization preserve their long-standing reputation, and will provide your clients with the much-needed assurance that their data is in safe hands when undertaking business transactions with your company.

Do you have questions about PCI:DSS or PA-DSS certification? Feel free to be in touch with our dedicated PCI teams for all of your certification needs, contact: or