Thursday, April 22, 2010

Understanding the PCI:DSS - Not Just Complying with It

Upon the establishment of the Payment Card Industry's Data Security Standards (PCI:DSS), many relegated the PCI:DSS to a derivative of the ISO standards and just another "tick in the box" of international standards, without much staying or enforcing power. The PCI:DSS, have since grown and taken on a significant role in the evolution and enforcement of real information security standards within organizations around the globe, and have even expanded to include the Payment Application Data Security Standards (PA-DSS) requiring software developers and vendors to comply with a high level of application security standards.

These standards now represent an integral part of information security practices, and have even instigated a true change by mandating the integration of best practices in data security in organizations of all sizes and types that store, transmit, or process prohibited credit cardholder data such as a full magnetic stripes, CVV2s or PIN data.

In addition, the instituting of the PA-DSS places a whole new emphasis and importance on the development of secure code by software vendors – and the maintenance of a secure software development lifecycle. While companies around the globe have all taken on the challenge of PCI compliance, at times requiring large-scale and pan-organizational information security changes within large networks/infrastructure, many companies still find themselves “in the dark” about the actual requirements themselves.

Because of the complex nature of the PCI:DSS and the PA-DSS, the QSA/PA-QSA, needs to have an in-depth understanding of the standard, including all of the intricacies involved, to enable a pragmatic approach and a tailoring of the technological, procedural, and administrative controls to your organization's needs. A QSA/PA-QSA that brings with them experience and expertise in the area of PCI and PA-DSS certification, will be able to recommend the necessary measures for your company, and to distinguish between the most relevant and applicable requirements as they apply to your company's internal business flow. Your organization will then be confident when integrating the QSA/PA-QSA's professional recommentations knowing that these are the most cost-effective, and critical requirements for your organization's compliance with the PCI and PA-DSS.

With much experience under our belt with these compliance processes, Comsec is able to provide a few guidelines on the most prevalent issues and “grey areas” encountered in the different PCI processes by different sized organizations, to facilitate what is sometimes perceived as a complex and resource-draining process:

Don't be afraid of the standard! Know the most important stipulations of the standard, to be able to maintain an ongoing dialogue with your QSA/PA-QSA regarding the solutions that are best-suited for your organization, as only you possess the in-depth knowledge about your internal business processes that are unique to your organization, and can suggest the methods of operation that are most appropriate for your company, contributing to the feeling of involvement and a level of control of your compliance process.

• Be aware of wherein the pitfalls lie for diverse technologies from legacy systems through Web-based platforms, and the possible constraints they may pose with regards to complying with this standard.

• Correct scoping of your CHD environment is imperative to prevent the inclusion of unnecessary systems in the compliance process. When properly done, this scoping and will in essence reduce the timeframe for compliance and efforts that need to be invested to ensure all of the systems and network comply with the PCI standards.

• Assessing the added value of storing sensitive cardholder data in different systems, may lead to potentially de-scoping systems that do not require the storage of sensitive CHD for ongoing business processes, significantly reducing the number of systems required to be in compliance with the standards and streamlining the overall compliance process.

• There are "quick wins" available to organizations, that may be less known, that make the compliance process much more friendly and attainable. For example:
o Tokenization
o Encryption
o Hashing
o Truncation

Being informed about the different solutions available to your organization, will enable you to take the initiative in suggesting the appropriate solution to your QSA.

• There are many solutions available for the outsourcing of parts of the clearing/payment process. These solutions many times serve to greatly facilitate the compliance process for many organizations.

• The implementation of best practices in secure coding will facilitate the PA-DSS compliance process, as security consideration will have already been taken into account in the d