BOSTON -- Forrester analyst John Kindervag says he's sick of hearing people whine about the payment card industry data security standard (PCI-DSS). A former qualified security assessor (QSA), Kindervag said companies often drag out compliance issues instead of dealing with them head-on.
"A lot of times you just have to get down in the mud and get it done," Kindervag said.
In his recent presentation at the Forrester Security Forum 2008, "The Inside Story of PCI: Confessions of a QSA," Kindervag presented ways companies can have a much smoother experience assessing their security systems and ultimately complying with PCI-DSS. He said PCI takes a different line of thinking from IT security pros and company executives, because it goes against the project-based culture of IT.
"Compliance is a marathon; A never ending marathon," Kindervag said.
To narrow down the scope of PCI, companies should first segment out network systems that contain credit card data. Next, companies need to understand not to introduce anything to those systems, Kindervag said. The easiest road to compliance: Don't store any credit card information, he said.
"PCI is a communicable disease," he said. "Anything you introduce can affect other things making them fall within the scope of PCI."
Banks and credit card carriers no longer require companies to save credit card data. Often companies save some of the data to handle returns, but there are now ways to handle a return without storing sensitive data, Kindervag said.
"PCI is not about securing sensitive data, it's about eliminating data altogether," he said.
Often companies get confused about Safe Harbor, an indemnification clause given to a company after it successfully complies with PCI-DSS. It provides merchants protection from fines and compliance exposure in the event of a data breach. The problem is that companies fail to keep complying with the standard after a QSA verifies that a company is compliant, Kindervag said.
"The only way to indemnify yourself from fines is to be compliant at all times," he said. "I know companies that were compliant at one time but fell out of compliance resulting in a breach."
Preparing for an assessment
Companies shouldn't hire a QSA until they are absolutely sure they are in compliance with PCI, Kindervag said. Start by conducting a policy review. Make policies electronic by creating a Wiki, designed to making finding the appropriate PCI requirements easier and enable anyone who accesses it the ability contribute and modify content, Kindervag said.
Next, conduct a gap analysis. Focus on wireless, Kindervag said. It's an area that is constantly changing and riddled with possible security holes. Also, implement layer 2 bridging on wireless networks so you don't have to re-architect the whole network, he said. Ensure that you're collecting log data, but understand that it's a requirement to aid the card brands.
"Logging is a backup requirement," Kindervag said. "It's a great place to consider outsourcing, but it's also a good place to start a threat management program."
Finally, prioritize the difficult projects, such as network segmentation and encryption deployments.
Hiring a QSA: An insider's perspective
QSA's come in two flavors, Kindervag said, a hacker and an assessor. Find a QSA that you are comfortable with, he said.
"You should not be able to buy a rock," he said. "There's no value in that to you."
Every QSA is unique and has their own way of doing things. Understand that QSAs have no power, the acquiring banks ultimately accept the final report. Although QSA's are hired by the merchant, they are independent and in many circumstances, they're required to make an ethical judgment, Kindervag said.
Conducting an audit is a tedious and time consuming process.
"If you find a QSA that likes the auditing process, you probably want to get a different one," he said.
Most QSAs start by conducting a policy review, followed by a log report review. The QSA also conducts sample testing of company systems for cardholder data. Once that is complete, the QSA completes the report on compliance (ROC).
"If you are not compliant, everything stops and you have to start all over again," he said.