Have you ever crammed for a test? Stayed up until midnight or later the night before an important house guest arrives, just to ensure that everything is just right? Chances are good that after the test was turned in or that house guest departed, you went back to life as usual.
Many IT and security teams give their organization’s annual PCI QSA assessment the same treatment. Some don’t even think about it until the QSA knocks on their door, while others go through rounds of remediation to achieve their Attestation of Compliance (AoC) and then slip back into non-compliance within a few months.
Earlier this year, my colleague published a PCI Compliance Annual Plan to help self-attesting businesses ease their way into the basics of PCI compliance. The positive feedback we’ve received on that post—coupled with an industry issue we’re seeing—prompted us to put together similar guidance for organizations that undergo an annual PCI QSA assessment.
PCI compliance must continue when your QSA leaves the building.
The core problem is this: Following their first assessment, businesses are failing to incorporate all the necessary PCI practices into a sustainable approach. That is, PCI compliance is never integrated fully into the organization’s “business-as-usual” dynamic.
The first-year, QSA-led assessment is based on a point in time when the organization being assessed must prove compliance as of the date of the AoC. From that point forward, however, things change. With the year-two assessment and all subsequent years, all ongoing operating controls that are mandated by the PCI DSS must have been maintained (and the organization must maintain and provide records of performance for support of the QSA assessment).
Here are the operating controls we find to be most often overlooked:
- Vulnerability Scanning, both internal and external
- Semi-annual review of firewall configuration and rules
- Consistent application of change management processes (for both infrastructure and software changes)
- Performance of an annual risk assessment
- The latest controls for service providers (which became mandatory as of 2/1/2018):
- Semi-annual segmentation testing
- Quarterly reviews to verify the consistent performance of security policies and operating procedures
- Root cause analysis of in-scope security mechanism failures
The PCI Security Standards Council (SSC) has also recognized the problem of businesses failing to develop and execute a plan for continued PCI compliance after their first QSA assessment. The SSC addressed this in PCI DSS v3.2 by requiring that businesses develop a PCI Charter and that they assign responsibility for “overall accountability for maintaining PCI DSS compliance.”
Make a plan to maintain PCI compliance.
This list of mandatory PCI compliance tasks was developed by ControlScan as a QSA client aid and we are now sharing it as a helpful industry resource. Each bulleted task is based on a specific PCI DSS v3.2 requirement.
- Requirement 6.1—Monitoring of Security Sites and Sources for Emerging Threats to the Confidentiality of Cardholder Data (CHD). Establish a process to identify security vulnerabilities using reputable outside sources for security vulnerability information, and assign a risk ranking to newly discovered security vulnerabilities.
- Requirement 10.6—Review of Logs and/or Alerts from Log Monitoring, IDS and AV Systems. Review logs and security events for all system components to identify anomalies or suspicious activity. Log harvesting, parsing and alerting tools may be used to meet this requirement.
- Requirement 11.5—FIM Scanning. If this is not an on-going, real-time process, file integrity monitoring scans must be run at least weekly. Deploy a change-detection mechanism to alert personnel to unauthorized modification of critical files. Configure the software to perform critical file comparisons at least weekly.
- Requirement 6.2—Application of Critical Software Patches. Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.
- Requirement 11.1—Wireless Scanning. A process needs to be executed to identify and remove any rogue wireless devices in the in-scope environment at least quarterly, and to scan for unauthorized wireless networks.
- Requirement 11.2.1—Internal Scanning. Must result in a clean scan at least quarterly for all relevant devices, if deficiencies are found they must be remediated and another scan run to validate the issue was repaired. A year’s worth of reports must be retained and provided to the assessor during annual reviews.
- Requirement 11.2.2—External Scanning. These scans MUST be done using an Approved Scanning Vendor (ASV) product or service. Please consult the PCI SSC website for a list. Scans must result is a PASS for all relevant IPs and URLs at least quarterly. A year’s worth of reports must be retained and provided to the Assessor during annual reviews.
- Requirement 3.1—Verify that Stored CHD Outside of the Retention Period is Securely Deleted. A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention needs must be developed and executed with evidence that it has been performed.
- Requirement 12.11—For Service Providers. Perform reviews at least quarterly to confirm that personnel are following security policies and operational procedures. Reviews should address, at a minimum: Daily log reviews, firewall rule-set reviews, application of configuration standards on new systems, response to security alerts and change management processes. Reviews must be documented, resulting in an auditable, dated record of execution.
- Requirement 1.1.7—Review Firewall and Router Configurations. Perform and document firewall and router configuration reviews to verify that configurations are current, in line with documented standards, and comply with PCI requirements.
- Requirement 18.104.22.168—For Service Providers. Penetration testing is performed to verify the effectiveness of segmentation controls at least every six months and after any changes to segmentation controls/methods.
- Requirement 6.6—Review Public-Facing Web Apps. If a WAF is not used to fulfill this requirement, review public-facing web applications via web application vulnerability scanning after each Document the method and results for review by the assessor.
- Requirement 11.3—Perform Internal and External Penetration Testing. Conduct penetration testing in line with the PCI SSC guidance document, at both the network and application layers at least annually and after any material modification to the environment.
- Requirement 12.1.1—Policy Review & Reapproval. Verify that the information security policy is reviewed at least annually and is updated as needed to reflect changes to business objectives or the risk environment.
- Requirement 12.2—Risk Assessment. Implement a risk assessment process. The process must be performed at least annually; must identify critical assets, threats, and vulnerabilities; and must result in a formal, documented analysis of risk.
- Requirement 12.6—Security Awareness Training. Execute and document the performance of Security Awareness Training to make sure that all personnel are aware of cardholder data security and information security policies and procedures. This must happen at least annually and upon hire.
- Requirement 12.6.2—Acknowledgment of Information Security Policy. Require personnel to acknowledge at least annually that they have read and understand the security policy and procedures. This process should be documented, resulting in an auditable record of annual review/acknowledgement by each employee.
- Requirement 12.10.2—IRP Testing. Review and test the information security Incident Response Plan (IRP) at least annually; include all elements listed in Requirement 12.10.1. Document the execution and results of the test.
At least annually and prior to the annual assessment, the assessed entity should also confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data, as well as all systems that are connected to—or, if they were to become compromised, could impact—the cardholder data environment (CDE).
Periodically without PCI Prescription
- Requirement 5.2—AV Updates and Scans. Ensure that all anti-virus mechanisms are kept current and perform periodic scans.
- Requirement 11.4—IDS updates. Keep all intrusion detection and prevention engines, baselines and signatures up to date.
PCI compliance doesn’t have to be a hassle.
When you have a plan in place and you execute on the plan, it doesn’t take long before your actions become second nature. The same is true for PCI compliance and security best practices.
Engaging a reputable PCI QSA can also make your life easier, because they can partner with you to serve as a trusted resource for advice and guidance throughout the year. Click here to read Marc Punzirudu’s post “6 Ways to Find the Best PCI QSA.”