Wednesday, August 8, 2012

Ten Ways to Fail at PCI

A column by Ericka Chickowski at Dark Reading describes ten ways to fail a PCI DSS compliance assessment.  Here is a brief summary of each of the ten missteps together with a little personal commentary:

  1. Pick the first QSA who comes along.  Good advice.
  2. Skip a pre-audit assessment.  For anyone but a Level 1 merchant, this means failing to conduct a PCI gap analysis.  The gap analysis should point out not only your current compliance gaps and remediation options, but it should also identify areas where you can reduce your PCI scope by making business process or technical changes.  It goes back to item #1 - picking a QSA that knows more than just the details of PCI can be a good idea.
  3. Skip a pre-audit checklist.  OK, I'll admit it.  I hate the word "checklist" in the PCI context, but here it makes sense.  This means understand what documents you need as evidence of your compliance.  For example, written security policies and having the right people lined up for your PCI gap analysis.
  4. Poor documentation.  If it is not written down, it doesn't exist.  
  5. Bad assumptions.  If you only read the words in a PCI requirement, you can miss the intent.  Focus on the intent and you can save a lot of wasted effort and heartache.  This is where a QSA who lives in the PCI "echo chamber" can help supplement your internal resources.  
  6. Too much data.  Too often PCI teams fail to ask the question: "Why do you need that data?"  If you get an answer that rhymes with "Well, we always did it that way" you could be on the track to having too much cardholder data to protect.  And too much data translates into added cost and, importantly, added risk.
  7. Ineffective scoping.  Scoping is critical, and it can be difficult in the absence of good, detailed network diagrams.  Well-constructed dataflow diagrams can help identify systems and devices that are in scope for PCI.  Finding another network segment or system half-way through the compliance effort is no fun for anybody.
  8. Blindly trusting your software application.  This one may be my second-favorite.  The dangerous refrain is: "We have a PA-DSS validated app, so we're compliant."  Perhaps the only more dangerous thing would be to believe that statement.  Payment apps have to be installed and maintained, and just because they are PA-DSS validated does NOT mean they don't store electronic cardholder data.  Validated apps help compliance, but they are not a silver bullet.
  9. Blindly trusting your service provider.  This one is my top choice.  I'm going to hold off my "you can outsource your processing, but not your responsibility" speech (er, rant?).  I will simply say that any merchant who does not use Level 1 service providers exclusively (listed on Visa and MasterCard websites) is making a mistake and taking undue risk.  The same goes for using a reseller/system integrator for your application (see #8) who has not been through the PCI Council's training program.
  10. Thinking your SAQ means you're done.  PCI is a program, not a project.  Celebrate your accomplishment in validating your compliance, but remember there is always something you need to be doing.  PCI is the gift that keeps on giving.
 There you have it.  Read Ericks's column and apply it to your own situation. 

1 comment:

  1. These are great tips. I recommend reading the full article, it's excellent. There are a couple good sidebars at the end, including "Don't Make An Enemy Of Your Auditor."