Posts

4 Reasons to Start a PCI Audit Right Now

Let’s face it: our society is becoming more reliant on cashless payment systems, from payment cards to contactless pay. With this digital focus, the security of cardholder data is top of mind to consumers. In fact, according to Pew Research Center, “41% of Americans have encountered fraudulent charges on their credit cards.” If your business cannot prove that your services are secure, why would consumers choose to do business with you when there’s hundreds of others who will protect their cardholder data? Has your business been hesitant to start a PCI audit? Let’s discuss a few reasons why you should stop waiting and start a PCI audit right now.

1. Because You’re Required To

The first, and most obvious reason, why you would start a PCI audit is because you are required to. If your business is a merchant, service provider, and/or subservice providers that stores, transmits, or processes cardholder data, including credit, debit, or other payment cards, then you are are required to adhere to the PCI DSS.

When we partner with business on their PCI compliance journey, though, we want their intention to be more than just a requirement. We want to partner with businesses who are committed to securing the cardholder data that they are responsible for. When clients start a PCI audit for the very first time, we often hear, “Do we really have to do this? Why do we have to go through this audit? Will we pass or fail? How can PCI compliance actually help our business?” After a few audit cycles, though, the denial and hesitancy are replaced with appreciation and preparedness. If the only reason why you want to start a PCI audit is to check compliance off on a list, we want to help you get out of the checkbox mentality and fully reap the benefits of PCI compliance.

2. Because Your Brand Depends on It

What are the brands that you use on a daily basis? Where do you shop, eat, or visit? What websites store your cardholder data? If one of the brands you trust had a breach that compromised cardholder data, would you continue entrusting them with yours?

Take Uber, for example. As an app that facilitates 14 million rides each day and stores 91 million users’ cardholder data, it’s crucial to their brand that they demonstrate a high level of due diligence when it comes to data security. Although Uber’s 2016 breach did not compromise cardholder data, the fact that hackers stole other types of personal information (phone numbers, email addresses, names, driver’s license numbers) took a massive toll on the ride-sharing giant’s reputation. If they can’t protect a driver’s license number, how can they protect cardholder data? Even the New York Times pointed out, “The handling of the breach underscores the extent to which Uber executives were willing to go to protect the $70 billion ride-hailing giant’s reputation and business, even at the potential cost of breaking users’ trust and, perhaps more important, state and federal laws.”

Does your brand depend on cardholder data security? Could PCI compliance enhance your brand? That’s just one more reason to start a PCI audit.

3. Because It Opens Up More Business Opportunities

Do you have a major deal riding on the fact that you’ve agreed to start a PCI audit? We hear this often from clients, especially from startups, that haven’t made PCI compliance a priority, but now a game-changing deal depends up on it. This is a clear reason to start a PCI audit, but the benefits go beyond that single deal.

Once you obtain PCI compliance, it can open up bigger and better business opportunities for you. It can give you a competitive advantage over competitors who haven’t pursued this compliance goal yet. It boosts your loyal customers’ confidence. PCI compliance can be incorporated into sales conversation and marketing plans. Why wait any longer to start a PCI audit?

4. Because of Cardholder Data Security

What people, processes, or technology have access to your cardholder data? How many transactions do you facilitate annually? What network segmentation controls do you implement? How many payment applications are in use? What assets could impact the security of your cardholder data environment? These are the types of questions you must think about when considering how you secure cardholder data. Are you doing your due diligence? Or do you need to be tested against the PCI requirements?

Demonstrating your PCI compliance instills trust with your customers, prospects, and business partners. Take the next step in cardholder data security and start a PCI audit.

Need more reasons to start a PCI audit right now? Let our Information Security Specialists convince you. Contact us today.

More PCI Resources

Beginner’s Guide to PCI Compliance

What Type of Compliance is Right for You?

When Will You See the Benefit of an Audit?

How Do I Find a QSA For My PCI Audit?

Are you a merchant, service provider, or sub-service provider who stores, processes, or transmits cardholder data? Going through a PCI audit for the first time? Your organization will need an individual who can help you maintain PCI compliance and provide you with a high-quality PCI audit. Who can do that? A Qualified Security Assessor (QSA). In fact, a QSA is the only individual who can deliver a PCI RoC for your organization. Without hiring a company that has a certified QSA, you won’t be able to meet your PCI compliance requirements and are at risk for additional data threats. You know you need a QSA, but where should you start? Let’s begin by defining what you’re looking for when choosing a QSA.

What is a QSA?

A QSA is an individual who is certified with qualifications from the PCI Security Standards Council that can test and prove an organization’s compliance with PCI DSS standards. A security expert who holds the QSA certification is highly esteemed as a credible source for reviewing compliance activities. You can find a real QSA that will lead you on the path towards PCI compliance through the PCI SSC. The PCI SSC provides a detailed list of all QSA companies and individuals, but choosing a QSA takes more effort than simply searching a list.

Choosing a QSA That’s Right for You

Finding a list of QSAs may be straightforward, but choosing the best QSA for your organization is a more difficult choice. There is more to choosing a QSA than finding a company with the correct certification.

  • The best QSA for your PCI audit must understand your organization, what you do, the technologies you use, and the industry within your industry.
  • To get the most out of your journey to PCI compliance, you want an experienced QSA, not a junior auditor.
  • You need to find a QSA that can meet your needs. Do you have a quick turnaround time? Does the company fit your budget? Are they equipped to handle your specific scope? Can they handle visiting your third parties?
  • Do you need a gap analysis before going through the audit? The right QSA for your organization is one that provides you with remediation guidance and prepares you for the upcoming audit.
  • Do you need to go through multiple audits? Choosing a QSA that will benefit you by offering multiple services and gap analyses along with your PCI audit is necessary!

What to Look Out for When Choosing a QSA

You may hear from an auditing firm that they are qualified to complete your PCI audit, but if they’re not a QSA on the list from the PCI SSC, they’re most likely outsourcing the project. The last thing you need when working towards PCI compliance is a company that leaves the security validation to a third-party. They may even misrepresent their PCI services because they want to get your business in another auditing or service area, such as SOC 2 or penetration testing. What’s more, many times companies will claim to be a QSA when they only have PCI Professionals (PCIPs). PCIPs are valuable to the PCI audit process, but lack in the necessary certification to properly audit your organization for PCI compliance. You need to watch out for these possible misrepresentations when you’re choosing a QSA.

Choosing KirkpatrickPrice as Your QSA

At KirkpatrickPrice, we pride ourselves on providing a quality QSA experience that gives your organization a streamlined PCI audit experience. How do we do it? We partner with you to learn about your organization, your processes, your technologies, and your industry to ensure the scope of your engagement is accurate. We utilize our Online Audit Manager to guide you through the audit control objectives and help you complete your audits together at the same, qualified firm. We work hand-in-hand with your information security team on remediation strategies to make sure that you get the most out of your audit. In addition, many of our audit support professionals, technical writers, and quality assurance personnel have the PCIP certification and work with your QSA, so you’ll have peace of mind that you’re receiving an expert PCI audit from start to finish.

Why settle for a company that outsources your PCI audit when you can choose a QSA that works alongside you to perform a quality audit completed by senior-level, expert auditors? Hire a QSA that’s right for you. Contact us today.

More PCI Resources

Beginner’s Guide to PCI Compliance

PCI Demystified

What is a PCI audit?

When Will You See the Benefit of an Audit?

Are you considering going through an information security audit for the first time? Are you contemplating a requirement for all of your vendors to undergo information security audits? Are you looking for an auditing firm who can help your organization utilize the benefits of auditing? Do you need help explaining the value of information security audits to executive management? Are you trying to cultivate a culture of compliance within your organization? We’re here to help.

What are the Advantages to Auditing?

Many people are intimidated by the requirements, price, and efforts of auditing, but we believe the benefits outweigh the cost. Yes, undergoing information security audits is a challenging and time-consuming process for most organizations, but our Information Security Specialists aim to educate clients on the value that attestations and compliance can bring to their business, which range from competitive advantages to reputational improvement. When your organization has completed an information security audit and gained compliance, the challenges you faced will be worth it.

However, getting executives on board with undergoing information security audits can be challenging, because many organizations are fearful of the process. We see many organizations get stuck in the checkbox mentality, where they view auditing as an item to be checked off a list rather than understanding the purpose and benefits. At KirkpatrickPrice, we want to be your audit partner, not just an item to check off on a list. We want to walk through this audit lifecycle with you, enhancing your business by placing security and compliance at the forefront of the current threat landscape.

Are you ready to get started on securing your business? Do you want to ensure your security posture is as strong as possible? Do you want to see how your mindset toward auditing can change over a three-year period?

Get the full report now.

Overdue on New PCI Penetration Testing Requirements? What You Need to Know About PCI Requirement 11.3.4.1

PCI Penetration Testing Requirements

Nine new PCI DSS v3.2 requirements turned from best practices to requirements on February 1, 2018. One requirement in particular, PCI Requirement 11.3.4.1, outlines new PCI penetration testing requirements and caused confusion among many service providers. PCI Requirement 11.3.4.1 states, “If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.” Let’s discuss why this PCI penetration testing requirement might apply to you, what segmentation is, what the six-month rule means, and what you need in order to comply with this requirement.

Does PCI Requirement 11.3.4.1 Apply to You?

There are two conditions as to whether or not PCI Requirement 11.3.4.1 applies to your organization.

  1. Are you a service provider? PCI Requirement 11.3.4.1 is an additional requirement that only applies to service providers. This is any entity that stores, processes, or transmits cardholder data on behalf of a third-party, or otherwise has the ability to impact cardholder data security.
  2. Do you use segmentation for the purpose of PCI scope reduction?

If both of these apply to you, all segmentation controls that are in place for the purpose of PCI scope reduction must be tested every 6 months or after any changes to segmentation controls or methods.

What is Segmentation?

Does PCI Requirement 11.3.4.1 Apply to You?

Think of your CDE as the center of a circle, with a protective, second circle surrounding it. This second circle is your supporting environment. This could include domain controllers, patch management systems, network and log monitoring systems and other similar devices that perform critical functions for systems located within the CDE. These systems, which are connected to or impact the security of the CDE, are considered to be part of the overall PCI scope. Everything outside of the second circle should be segmented in order to reduce and tightly control the scope. This can reduce the cost and complexity involved with achieving and maintaining compliance with the PCI DSS.

What is PCI Requirement 11.3.4.1 Actually Requiring?

PCI Requirement 11.3.4.1 requires that a penetration test, which validates the scope and effectiveness of segmentation controls, be performed every six months or after any changes to segmentation controls. The purpose of this additional penetration test is to ensure that segmentation controls continue to operate effectively throughout the year. The continual, complete isolation between CDE and non-CDE systems is key to your PCI compliance.

Our approach to compliance with PCI Requirement 11.3.4.1 involves more than simply validating segmentation controls through port scanning activities. The PCI DSS specifies that penetration testing must be performed, meaning that it is not sufficient to only perform something like nmap scans from non-CDE to CDE networks. Additional effort is required in order to meet this requirement for penetration testing, and our team of penetration testers is ready to help.

Our penetration testing requires some sort of discovery to verify that what we expected from the CDE is there. Using the background and understanding from the first penetration test, we must validate that the scope of your CDE hasn’t changed in the last six months. We must understand what was in the CDE six months ago and what’s in the CDE now. This establishes a baseline of healthy security of the CDE. If you don’t understand or know what’s on the inside of the CDE, how do you know that sensitive information can’t be seen from the outside?

Our PCI penetration testing efforts focus on wherever segmentation controls are lacking. Our testing includes confirmation of the effectiveness of applicable segmentation controls and performing many of the same internal penetration testing activities that are expected in order to comply with PCI Requirements 11.3.2 and 11.3.3. This comprehensive approach focuses on the entirety of the in-scope PCI environment and allows our penetration testers to effectively test the segmentation controls by leveraging information gathered during initial penetration testing to inform the approach used to attempt to circumvent the targeted segmentation controls.

Am I Overdue on PCI Requirement 11.3.4.1? How Soon Should I Expect to Perform Penetration Testing?

The PCI SSC has given some clarity on the six-month rule described in this requirement. If your organization is in panic mode thinking, “February 1 has hit and now we’re overdue on new PCI penetration testing requirements,” you’re probably not actually overdue. The six-month rule went into effect the same day that the entire requirement went into effect. There’s no need to go back in time. If you had a penetration test performed in December 5, 2017, then your next penetration test should be scheduled for May 5, 2018. The PCI DSS guidance explains, “For service providers, validation of PCI DSS scope should be performed as frequently as possible to ensure PCI DSS scope remains up to date and aligned with changing business objectives.”

How is your organization re-assessing its penetration testing needs?

If you have questions about how these PCI penetration testing changes will affect your compliance or need additional help with implementation, contact us today, download our on-demand webinar that reviews all nine new PCI DSS requirements, or check out our PCI Demystified series.

The 12 PCI DSS Requirements

This exclusive video series, PCI Demystified, was developed to assist your organization in understanding what Payment Card Industry Data Security Standard (PCI DSS) is, who it applies to, what the specific requirements are, and what your organization needs to do to become compliant.

The 12 PCI DSS Requirements

The PCI DSS was jointly developed by the payment card brands to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. Its purpose is to ensure that all of the data that lives within the Cardholder Data Environment (CDE) is protected and secured from theft or unauthorized use. If you are a merchant, service provider, or subservice provider who stores, processes, or transmits cardholder data, you are subject to comply with the PCI DSS. The current version, PCI DSS 3.2, has approximately 394 controls, 6 control objectives, and 12 major subject areas. The 12 requirements are:

  • PCI Requirement 1 states, “Install and maintain a firewall configuration to protect cardholder data.” Your organization should focus on securing and hardening your network and securing the inbound and outbound traffic.
  • PCI Requirement 2 states, “Do not use vendor-supplied passwords and other security parameters.” Most organizations tend to focus on hardening their operating systems, but this requirement is intended for all assets within the environment.
  • PCI Requirement 3 states, “Protect stored cardholder data.” This requirement focuses on securing cardholder data at rest; this is the encryption and the storage of sensitive information.
  • PCI Requirement 4 states, “Encrypt transmission of cardholder data across open, public networks.” If you transmit cardholder data over open or public networks, that data must be securely and appropriately protected.
  • PCI Requirement 5 states, “Protect all systems against malware and regularly update anti-virus software or programs.” Do not focus on only anti-malware or only anti-virus; this requirement deals with both.
  • PCI Requirement 6 states, “Develop and maintain secure systems and applications.” There’s more to this requirement than just securing applications. It’s about identifying vulnerabilities, patching your systems, change management, change controls, and secure software development.
  • PCI Requirement 7 states, “Restrict access to cardholder data by business need-to-know.” Requirement 7 goes hand-in-hand with Requirement 8; it focuses on authorization.
  • PCI Requirement 8 states, “Identify and authenticate access to system components.” Requirement 8 focuses on authentication.
  • PCI Requirement 9 states, “Restrict physical access to cardholder data.” If a hacker as physical access to your assets, they pretty much own that data.
  • PCI Requirement 10 states, “Track and monitor all access to network resources and cardholder data.” This requirement is all about logging.
  • PCI Requirement 11 states, “Regularly test security systems and processes.” Your organization must ensure that you’re testing for vulnerabilities and managing the security of your environment so that your assets are protected.
  • PCI Requirement 12 states, “Maintain a policy that address information security for all personnel.” This is the requirement that addresses the policy and procedure management and vendor management of your organization.

Most organizations tend to focus on the 12 requirements, however, we believe there are 2 appendices that might as well be requirements. The first is for shared hosted services providers and the second is for Designated Entities. We’ll discuss these appendices further in a later video.

Video Transcription

The 12 PCI DSS Requirements

The PCI DSS is comprised of 12 requirements and 2 appendices that we need to have a discussion about. We start out with Requirement 1, which is focused on securing and hardening the network and the inbound and outbound traffic. Requirement 2 is primarily focused with looking to harden the systems and the applications; most organization really just tend to focus on hardening their operating systems, but Requirement 2 is really intended for all assets within the environment. Requirement 3 is focused on securing cardholder data at rest. This is the encryption and the prohibition of storage of sensitive information. Requirement 4 is focused on making sure that when you transmit cardholder data over open or public networks, that the data itself is appropriately protected. Requirement 5 deals with antimalware and deals with antivirus.

Requirement 6 has actually got quite a bit that it deals with. This requirement, when we talk about the PCI DSS, talks about securing applications, but there’s a little bit more than that. It’s identifying vulnerabilities, it’s patching your system, it’s change management, it’s change controls, it’s secure software development and all the requirements that go along with making sure the applications are maintained securely. Requirement 7 and Requirement 8 kind-of go hand-in-hand; Requirement 7 is authorization and Requirement 8 is authentication. We change things up a little bit when we get to Requirement 9. Requirement 9 is focused on the physical security of the environment. If I’m a hacker and I have physical access to your assets, I can pretty much own the data on it. We get to Requirement 10, which is all of your logging. When we get to Requirement 11, it’s focused on making sure that all of things that you’ve put in place to secure your assets are functioning appropriately. This is where we’re testing for vulnerabilities and making sure we’re managing the security of the environment. Requirement 12 is the policy and procedure management and vendor management of the organization. This is really the management aspect of the PCI DSS itself.

Most organizations, most people tend to focus on the 12 requirements themselves, however there are 2 additional appendices that might as well be requirements. The first one we have is for shared hosted services providers. If you have a question of whether you’re a shared hosted service provider, please look at Requirement 2.6 in the PCI DSS. That will clearly explain what a shared hosted service provider is and talk about what the requirements are there. Lastly, we have the last appendix which we need to be concerned with or have conversations about. This is the Designated Entities Appendix. Once again, we’ll talk about what that is when we get to that requirement.