Testing Controls & Gathering Evidence

Keeping up with PCI DSS (Payment Card Industry Data Security Standard) compliance is not easy. 80% of businesses fail their PCI DSS assessments, according to a 2017 report by Verizon. Of the 20% who manage to pass, only 29% of them maintain compliance after a year.

Just like any information security requirement, PCI DSS compliance isn’t a one-and-done task, but an ongoing process.  Success is reserved for vigilant businesses.

For businesses that want to keep running, compliance is a necessity, not a luxury. The ad hoc penalties for non-compliance can be hefty- and borderline crippling. As long as you take planning and preparation seriously, it will become quite easy to obtain the ever-coveted Attestation of Compliance (AOC) or Report on Compliance (ROC).

How do you do that? Before every PCI DSS self-assessment or audit, you ought to test the controls that you have implemented around your cardholder data environment (CDE), attend to any issues that arise, and document evidence that the controls are working as per the expectations.

Some of the best practices are:

  • Testing your system controls and organizational system frequently
  • Conducting quarterly network scans with the help of an Approved Scan Vendor (ASV
  • Conducting annual on-site assessments or audits
  • Documenting your organization’s systems and controls testing
  • Documenting the policies, activities, and procedures that you have placed around the transmittal, processing, and storage of cardholder or credit card data

When done with the steps above, be sure to transmit the evidence of compliance and test results to the Qualified Security Assessor (QSA) who will be auditing your business. Otherwise, you risk:

  • Increase the cost of auditing your business since the auditor will have no other choice but to collect these documents on their own.
  • Incurring hefty fines stemming from non-compliance if you were to fail a self-assessment or audit. Having tested your controls and remediated any flaws will eliminate any chances of non-compliance, making it easy to obtain your ROC or validation.
  • In the worst-case scenario, you might lose your right to accept any credit card payments as a business, which can be a crippling blow in the digital age.

Regardless of whether you had previously done the tests or not, you still need to perform them before every audit. Any evidence on PCI DSS compliance that you provide ought to be current.

PCI DSS in A Nutshell and Why Compliance Matters

In simple terms, PCI DSS is a couple of data security requirements that both service providers and merchants need to meet to process credit card data. The regulations were drafted by the PCI SSC (PCI Security Standard Council), a council consisting of the top credit card brands including Visa, JCB, Discover, American Express, and MasterCard.

The core goal of the standard is to uphold high-security standards around cardholder and credit card data, protecting it from data breaches. Merchants and any entity that provides services to them are required to maintain continuous compliance by their acquiring banks (the financial institutions that spearhead the processing of credit card transactions).

Testing the end-to-end security of your payment system frequently is pivotal to meeting these requirements.

How to Test and Gather Evidence

Ideally, the controls you need to set up, and the test will all be centered on your payment card transaction network. This includes your point-of-sale system, the storage location of your credit card data, the system for processing your payment information, the encryption of your sensitive data, and much more.

  • Risk assessment is critical for maintaining PCI DSS compliance. With an organization-wide risk assessment, it will become easy to create an environment with the desired level of security for credit card and cardholder data. Ensure that the assessment you make guns for the risks around credit card data and that you document any remediation you opt for.
  • The PCI DSS compliance requirements outline the controls you have to set up to be compliant. 281 requirements can be grouped into 12 categories. They address network segmentation, encryption, data disposal, security awareness training, and third-party data security, among many other aspects of a stellar security system. For instance, the directives outline that you ought to be using Transport Layer Security (TLS) for encryption instead of the Secure Socket Layer (SSL).
  • Penetration testing your CDE is a necessity, regardless of whether you do it internally or with the help of an independent, qualified third party. Tests should aim at looking for gaps in the security system and processes around your payment card system.
  • Segmentation testing, a part of penetration testing, is a necessity for businesses that segment their CDE from other parts of their network. The goal is to ensure the set segmentation methods are working as per the expectations when it comes to isolating the CDE from the other systems.

After testing and verifying that the controls you have in place are working as to the expectation, the next step is to portray your compliance effort by preparing an audit trail of documents. Documentation includes system and network logs, emails, policies, protocols, network configurations, procedures, system architectures, and any written material that can act as evidence of how you have protected your CDE.

Consider Working with Compliance Software

Keeping up with your compliance needs manually can not only be time-consuming but also tiring. It can be quite easy to make common mistakes that can result in non-compliance. By using compliance software, most of the compliance burden is taken away. For instance, you can scan your enterprise’s system against the PCI DSS directives to identify areas where you fall short of compliance.

On-site audits or self-assessments are easy with the software. It only takes a few clicks to audit your system to its entirety, and for as many times as needed to close the compliance gap. The compliance software also streamlines the task of generating, collecting, storing, and organizing the compliance documentation required during audits.