|
GET TO KNOW THE QSA
As the person who issues the Report on Compliance (RoC) to the acquiring banks and card brands, the QSA has quite a bit of power. Working effectively with the QSA can mean the difference between attaining compliance and not. The first place to go when looking for a QSA is the council's site. For external validation, only council-approved QSAs may submit RoCs. Another option is to ask colleagues with whom they've worked, or ask for a QSA reference from your acquiring bank. Evaluate acquiring bank recommendations carefully, though. Some acquiring banks have relationships with assessor organizations that pay referral fees--which may indicate the bank is motivated to make the recommendation simply to receive the fee.
Many organizations that have successfully completed PCI audits recommend treating the QSA search like any hiring process. Include requests for references and price quotes in the assessment criteria. And keep in mind that you'll be working closely with the assessment company, so it's important to have a good comfort level with its methodology. Another great tip from the trenches: consider two QSA firms, one for pre-assessment and one for the validation work.
Even if an organization does not wish to pre-assess with a QSA, it should conduct its own pre-assessment. The PCI SSC Self-Assessment Questionnaire (SAQ) and the PCI DSS Security Audit Procedures are excellent resources. An IT professional who completed a PCI validation cycle for his company said, "By pre-assessing, we knew where the holes were and could fill them before getting beat up in front of upper management by the QSA." Though not getting "beat up" can be a benefit of pre-assessment, it's important to keep in mind that most QSAs aren't aiming for humiliation and failure. Pre-assessment gives organizations key knowledge regarding what is important to QSAs during an assessment, especially with regard to documentation. By understanding where the QSA is coming from, IT professionals can engage in a more col- laborative relationship.
 |
|
|
|
|
|
|
|
|
|
SIMs Stand Out |
|
|
|
|
|
|
|
|
|
|
REQUIREMENT 10.6
PCI requires daily log reviews, spurring a boom in SIMs sales.
PCI compliance is "a process, not a product," says Michelle Dickman, president and CEO of security information management (SIM) vendor TriGeo Network Security. Yet, there's no denying that a lot of product has been sold in the name of PCI.
Many of these purchases were a result of shoring up security controls in areas where they did not exist. For example, most companies have firewalls (Requirement 1) in their data centers, but many did not have one at every retail site. Now, thanks to PCI, many do.
One product category, however, does stand out as particularly helpful, according to those who have undergone PCI DSS audits: SIMs and log management tools. Requirement 10 calls for monitoring and testing of networks, and 10.6 specifies: "Review logs for all system components at least daily." For a major retailer with thousands of components in the cardholder data environment, meeting those requirements just wasn't feasible without a log aggregation solution.
But simply centralizing all logs and alerts isn't the end of the story, warns William Lynch, a manager and Qualified Security Assessor at IT consulting firm CTG. "Make sure the review process, accountable parties and documentation are in place to ensure that the review happens," he says.
--DIANA KELLEY
|
|
|
|
|
|
|
|
|
