5 Steps to Implement & Maintain PCI DSS Compliance www.alienvault.com

If you haven’t guessed it by now, achieving and maintaining Payment Card Industry Data Security Standard (PCI DSS) compliance can be both hard and expensive. For most small to medium sized organizations, it doesn’t have to be as long as you have the right plan and tools in place. In this paper you’ll learn five steps that you can take to implement and maintain PCI DSS compliance at your organization.  

The steps described in this paper are meant for readers already aware of each requirement within the PCI DSS. If you are not, you can head over to the PCI Standards Council website for a breakdown of all the requirements and then return to this paper for implementation and maintenance best practices. Additionally, the steps described here will be geared towards small to medium organizations that are required to comply with all components of the PCI DSS and not just portions of it.

This resource was created in conjunction with Terra Verde Services.

Steps to Implement and Maintain PCI DSS Compliance5

PCI DSS Compliance ChecklistThe recipe for implementing and maintaining PCI DSS compliance includes the following five steps:

• Determine Your True Business Requirements• Inventory Locations and Assets• Segment the Environment• Operationalize Controls• Automate Controls and Control Reporting

Often, most organizations don’t directly process credit cards. Instead they offload some of the risk to a third party. In this scenario you still need to ensure that the third-party is PCI compliant, but why incur the cost of implementing and maintaining all the controls if you don’t need to.

There are many reasons why data is needed in organizations and most of the time it revolves around customer convenience or user experience. Although these are valid reasons, organizations should still do a thorough cost/benefit analysis on both short-term control implementation and long-term control maintenance to gain a better understanding of the true impact of going down this path.

It’s important to keep in mind that PCI DSS compliance is not a one-time event, but an ongoing process and, ultimately, a change to the way you do business. For instance, there will be long-term impacts including investments in training, personnel, and technology. Notice that technology is last here. PCI DSS is more about process than technology. You can certainly use technology to automate controls and processes, but most impacts occur in the area of internal resourcing.

STEP 1 Determine Your True Business Requirements

If you have determined that you truly have a business need to process credit card data, step 2 on your checklist should be to inventory all credit card locations and assets. This seems simple enough, but it’s often where many organizations struggle. Computers and computer networks are complex along with the politics in many organizations. Unless there are strong governance practices in place, it can be easy to lose track of assets in a world of agile methodologies and the constant push for new product features.

You should be prepared to answer these fundamental questions about the PCI processing environment:

STEP 2 Inventory Locations and Assets

• What business processes use credit card data?

• Where is the cardholder data (CHD) stored?

• How is the cardholder data (CHD) accessed?

• What are the ports and protocols used when transmitting cardholder data (CHD)?

• What technology assets are involved in the data flow?

• Am I sure?

That last question from the previous slide is an interesting one. When performing GAP assessments, more often then not, you will find cardholder data flows that the customer was unaware of. PCI DSS is not just your best effort. If you have a breach, you may be on the hook for all those fraudulent transactions, as well as fines.

Make sure you validate your asset inventory by sampling the systems, networks, and data stores to determine if there is cardholder data outside your defined cardholder data flows and environments. Remember this is a process. You should expect to update inventories of flows and systems on an ongoing basis depending on business and technology changes.

STEP 2 Inventory Locations and Assets Continued

Now that you have located everything, it’s time to segment the technologies and, in some cases, the business processes that store, process, or transmit cardholder data. Even though PCI DSS does not require segmentation, it is a critical step in reducing short and long-term costs.

Many organizations fail when they attempt to segment their environment for PCI DSS compliance. This occurs when they attempt to implement PCI DSS controls across the entire organization, not realizing the impacts to other business units that don’t handle cardholder data. Also, organizations might believe they have correctly segmented the PCI environment, only to find systems outside the segmented environment that process or store cardholder data.

To ensure that this doesn’t happen at your organization, make sure that you segment your processing environment and implement inventory processes described above to validate whether cardholder data is flowing into environments that it shouldn’t. Lastly, implement strong governance (e.g. change management) practices to ensure systems are located in the correct network zones prior to being moved into production.

STEP 3 Segment the Environment

Once controls are in a PCI DSS compliant state, the checklist changes to maintaining that compliant state. A plan should be put into place to address how PCI DSS controls will be affected when employee turnover, employee promotion and changing priorities occur.  In fact, the PCI Standards Council made changes in PCI DSS v3.0 that enforces the concept of operationalizing security controls within business-as-usual activities by requiring much more rigor around operational security procedures.

This is, again, a common theme that many QSAs see when assessing organizations both big and small. The intent to be PCI compliant is there, but the willingness or ability to keep up with ongoing processes wanes without proper organizational governance and support. This may be one of the most challenging steps that your organization will face as it may involve significant organizational change.

STEP 4 Operationalize Controls

Here are some questions that may help you determine whether your PCI DSS control framework is operationalized for long-term success.

• Is there support and awareness from your senior leadership team or board?

• Is leadership fully aware of the contractual responsibility for securing cardholder data?

• Are control owners assigned to each PCI control and do control owners understand

their role in ensuring that the controls operate effectively?

• Do written procedures exist for managing all control processes outlined within PCI DSS?

• Do automated tools exist to help you operationalize ongoing security procedures

(i.e. SIEM, vulnerability management, file integrity monitoring, etc.)?

• Do automated tools exist to monitor the effectiveness of control activities?

STEP 4 Operationalize Controls Continued

The final step is actually a continuation of the concept of operationalizing controls. In order to ensure PCI compliance in the long-term, you must automate control activities. The primary reason for this is that no matter how hard we try, we humans are fallible. By removing the human element we can ensure proper control execution as well as reduce the overall cost related to performing the controls.

Here is a list of processes that can be quickly automated, given the right set of tools and/or capabilities.

• Asset Discovery and Management

• Logging and Security Event Monitoring

• File Integrity Monitoring

• Incident Response Tracking

• Vulnerability Identification & Management

• Default Password Checks

• Firewall Rule Reviews

• Wireless Rogue Access Point Detection

• Access Provisioning & De-provisioning

STEP 5 Automate Controls and Control Monitoring

AlienVault Unified Security Management (USM)Asset Discovery and Management - An essential component of achieving PCI compliance is knowing what devices are in-scope, and the patch level. With AlienVault USM, you can automate the discovery and monitoring of the devices as well as the software deployed on them.

Logging and Security Event Monitoring - AlienVault USM platform aggregates, correlates, and analyzes your security event monitoring. Over 2000 correlation rules eliminate the need for manual correlation and analysis of events.

Incident Response Tracking - With USM, you can automatically identify and investigate security incidents with built-in threat intelligence, as well as manage the response.

File Integrity Monitoring - File Integrity Monitoring (FIM) tracks who has accessed sensitive data as well as what they did to that data. This provides a necessary audit trail, as well as allows you to validate that the changes were authorized, expected, and did not jeopardize the integrity and security of the data. 

Default Password Checks - Built-in, automated vulnerability assessment identifies the use of weak and default passwords, as well as host IDS and FIM will alert on the use of default passwords.

Must-have security Technologies for PCI DSS Compliance

ALL IN A SINGLE PANE OF GLASS

Learn More >

Learn More >

Learn More > Learn More >

Learn More >

Learn More >

Learn More >

Learn More >

Learn More >

Additional Resources

Demonstrating compliance with PCI DSS is far from a trivial exercise. Hopefully this check list will help you on your quest to achieve and maintain PCI DSS compliance. Good Luck!

To learn more about implementing and maintaining PCI DSS compliance, check out the following additional resources:

• Solution Page: How AlienVault technology can help you with PCI DSS compliance

• Webinar: PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting

• Solution Page: PCI DSS Log Management & Monitoring

• Solution Brief: Unify your Defenses and Accelerate PCI Compliance

• Video: The Easier, Faster Path to PCI Compliance

Learn More about AlienVault

At AlienVault, we’ve experienced firsthand just how frustrating and challenging security can be – the struggles with failing SIEM implementations; having to settle for inadequate security due to budget constraints; shelving hundreds of thousands of dollars of security software because it is just too hard to use; and, of course, the aftermath of security breaches that could have been prevented.

We founded AlienVault to help organizations of all shapes and sizes achieve world-class security without the headaches and huge expense of other solutions. And we are passionate about our mission.

Learn more about AlienVault

Learn More about Terra Verde

Terra Verde has provided services to clients around the world. Large government agencies, Fortune 500 companies as well as small single-practitioner offices, have seen the value of our services and solutions. These services include assessing, designing and implementing technology solutions that are both secure and value-driven. As the largest Arizona headquartered security provider, we are your local one-stop-shop for all your security and compliance needs. 

Learn More About Terra Verde