This article can also be found in the Premium Editorial Download "Information Security magazine: Everything you need to know about today's information security trends."
Download it now to read this article plus other related content.
Documentation may not be exciting but reviewing documents is a cornerstone of the QSA audit process. So be sure to include documentation review while working on a gap assessment. This is particularly important for areas where there may be interpretation or where compensating controls have been implemented. If a risk assessment process has been completed before implementing a control, be sure the supporting documentation is there so the QSA can assess it properly. Otherwise, the QSA may fail your control.
A money-based "gotcha" to watch out for when working with a QSA is when the QSA claims a company won't be validated as compliant if it doesn't buy a specific vendor product from the assessor's reseller. The tactic can be a softer sell, recommending the customer make the purchase rather than demanding it, but either way it's all wrong. QSAs that attempt to increase profits by requiring product purchases should be reported to the council.
| VLANs, air gaps and physical separation." When data must travel over public networks, such as the Internet and wireless LANs, Carey advises companies to secure the transmission using encryption protocols such as SSL.
Segmentation was a key part of the National Aquarium in Baltimore's strategy. As part of its PCI pre-assessment work, the aquarium reviewed two merchant functions that were operationally outsourced to third parties--the aquarium gift store and food services--and decided to physically separate the outsourced merchant networks from the aquarium. This resulted in a significant reduction in audit scope during the aquarium's PCI validation work.
Another tip on the simplification front--one we've all heard--is don't store what you don't need. But as Hogan's plea to the PCI SSC illustrated, many retailers--due to their service level agreements--are required to store PANs in a retrievable format for up to 18 months. Companies that don't have that requirement have simplified their PCI compliance by eliminating PAN storage. Others don't have to hang on to the PAN for months but hold it for hours during authorization. Brady Decker, network engineer at the aquarium, suggests that banks and card brands "take the merchants out of the security loop" by not having them store the PAN, even during the authorization phase. If a company must hold on to PANs for any length of time, Carey recommends "leveraging native database encryption capabilities to meet [requirement] 3.4 before layering on a third-party solution that may degrade performance or increase management complexity."
In addition, make sure to really know what's in your environment. Stories abound of large organizations that found untracked spreadsheets with thousands of credit card numbers when beginning their PCI assessment work. "Map the credit card data flow" for the entire lifecycle of the data's existence in your organization, says Michael Gavin, security strategist for application security company Security Innovation. That means answering these questions: Where does the information come in? Where is it being stored? Who has access along the way?
This was first published in July 2008