Guest post by Lohit Mehta, Security Researcher for the InfoSec Institute
This article focuses on three of the most commonly identified issues when an organization is audited for PCI compliance by an external party. This article also offers some tips to avoid these pitfalls.
Pitfall #1: Improper scoping
As in most compliance cases, if you are not aware of the scope of your exercise, then you will likely stand as non-compliant. The PCI DSS is no different, and lack of scope will result in some entities being left unpatched and therefore in non-compliance.
Proper scoping for PCI begins with the following:
- Reducing scope makes achieving compliance with the PCI DSS much simpler. In PCI DSS, all processes and technologies involved in processing, transmitting or storing cardholder data will be in scope. There are a variety of ways to reduce PCI scope, such as reducing the number of systems that are processing cardholder data.
- Lay out a good network segmentation design, otherwise wherever the cardholder data touches will be in scope for PCI.
- If any part of maintaining cardholder data is outsourced to a third party, then make sure that you are transferring the information on a secure channel and it is included in the scope of audit. Also make sure that the third party undergoes a PCI DSS audit and they also take all the necessary precautions to protect cardholder data.
- Never store data that is not permitted by the PCI DSS.
- Do not ignore servers, such as NTP and DNS. Include them in the scope as well.
- Look out also for the wireless points that are connected with the cardholder data environment.
Pitfall #2: Ignoring data in motion
Sensitive cardholder data includes: Full track data, PIN, CVV, etc. Other important cardholder details include PAN, cardholder name, service code and expiration date. Many organizations incorrectly believe that the PCI DSS only covers the storage of this sensitive cardholder data; however, this data is also in your PCI scope when it’s in motion for the purpose of payment card processing. In other words, the data must be protected throughout the transactional process.
Organizations can really reduce their PCI scope by employing techniques like tokenization. With tokenization, all the data that will flow within their internal network will be meaningless as it will be just sets of tokens.
Pitfall #3: Addressing PCI compliance only when annual validation time rolls around.
This is one of the biggest misconceptions of organizations: Only striving to achieve PCI DSS certification rather than sustaining it. Efforts should be the same the day before the audit is to take place and all the days after the audit is completed. Monitoring needs to be done daily, status of all the controls needs to be checked at regular intervals, etc. Remember that security is not a one-time thing, it’s a process which is never constant.
This is by no means an exhaustive list, but it outlines some of the most common pitfalls organizations face in their PCI DSS environment. Subscribe to this blog for additional tips and webinar announcements.