a framework for pci dss 2.0 compliance assessment and ... · a framework for pci dss 2.0 compliance...
TRANSCRIPT
A Framework for PCI DSS 2.0 Compliance Assessment and RemediationBy methodically identifying and remediating IT security gaps, companies can quickly and cost-effectively comply with the Payment Card Industry Data Security Standard.
Executive SummaryThe Payment Card Industry Data Security Standard (PCI DSS) 2.01 is an information security standard for any company that handles cardholder infor-mation for the major credit card providers. The five global payment brands — American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. — incorpo-rate the PCI DSS 2.0 in each of their data security compliance programs. As such, any company that stores, processes or transmits cardholder data is required to comply with these requirements. Each merchant or payment card processor company is required to submit an annual compliance report to its merchant bank.
This white paper focuses on three key aspects of PCI DSS 2.0 compliance. First, it provides a brief background on PCI DSS 2.0 and our framework for PCI DSS 2.0 assessment and remediation services. Second, it discusses a set of issues seen by companies seeking PCI DSS 2.0 compliance. Third, it describes how we help address these PCI DSS 2.0 compliance issues. This paper concludes with a case study that shows how we applied our framework in an engagement with a leading North American retailer to quickly and cost-effec-tively achieve PCI DSS 2.0 compliance.
Our PCI Compliance ApproachPCI security for merchants and payment card processors is the vital result of information security best practices contained in the PCI DSS. The standard includes 12 requirements for any business that stores, processes or transmits cardholder data. These requirements specify the framework for a secure payments environment; for the purposes of PCI compliance, their essence is three steps: assess, remediate and report (see Appendix).
Our approach to PCI compliance includes two phases, the assessment phase and the remedia-tion phase.2 Each phase can be executed inde-pendently of the other and is then followed by reporting.
Assessment Phase
In the assessment phase we typically work a 10- to 12-week session, where the usual activities include:
• Data gathering (typically three weeks).
• Current state assessment (typically two weeks).
• Gap assessments (typically three weeks).
• Future state roadmap (typically two weeks).
The duration of the assessment phase can differ
• Cognizant 20-20 Insights
cognizant 20-20 insights | february 2013
cognizant 20-20 insights 2
based on the size of the client infrastructure — the number of devices in the cardholder data environ-ment. Figure 1 shows an example for constructing an assessment-phase plan.
PCI DSS is based on technical and operational requirements related to 12 different areas; data gathering is performed across six conceptual areas, covering the following:
• Network infrastructure.
• Encryption and data protection.
• Vulnerability management.
• Access control.
• Network monitoring.
• Security policies management.
Data gathered is then assessed for gaps across each of these six areas. The gaps in the current “as is” state are then categorized as high, medium and low in each area relative to the goal of achieving PCI DSS 2.0 compliance. The final deliverable includes a roadmap for remediating the discovered gaps in order to achieve “future” state PCI DSS 2.0 compliance for the cardholder data environment. The deliverables at this phase include, but are not limited to:
• Network inventory.
• Software inventory.
• Current state network diagram of the cardholder data environment.
• Inventory of tools and utilities identified.
• Current state policies.
• Gap assessment matrix of PCI controls.
• Best practices followed (if applicable).
• Future state roadmap.
Remediation Phase
During the remediation phase, our team evalu-ates the effort based on the gaps and the roadmap delivered during the assessment phase. Implementation duration depends on gaps found during the assessment phase. Typical activities during this phase include:
• Planning (typically, four to six weeks).
• Designing (eight to 10 weeks).
• Building (12 to 15 weeks).
• Verifying (14 to 16 weeks).
• Deploying (varies).
• Reassessing for report on compliance (ROC) (eight to 10 weeks).
The reassessment (which includes any final reme-diation as needed) is conducted in conjunction with a (QSA approved) third-party assessor to gain a report of compliance. Figure 2 illustrates a remediation-phase plan.
During the planning phase, there are multiple workshops held with a core group of personnel that will include both company resources as well as our consultants.
Overcoming Compliance IssuesThere are many PCI DSS 2.0 compliance hurdles for companies that store, process and transmit credit card information in their processing envi-ronments. Among these, the most critical issues faced include:
• Incomplete awareness of the environment, and not understanding what is, and what is not, part of the credit card data environment (i.e., the target environment for compliance).
1 2 3 4 5 6 7 8 9 10 11
3 Weeks
2 Weeks
3 Weeks
2 Weeks
Week Number
Data Gathering
Current State Assessment
Gap Assessment
Roadmap to Future State
Figure 1
Assessment Phase Planning
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46Week Number
Plan
Design
Build
Verify
Deploy
Reassess for ROC
4-6 Weeks
8-10 Weeks
12-15 Weeks
14-16 Weeks
Varies
10 Weeks
Figure 2
Remediation Phase Planning
cognizant 20-20 insights 3
• Unavailability of skilled personnel required to both understand and maintain the security of the credit card data environment.
• No experience executing activities required, either in first time PCI DSS compliance or, once PCI DSS compliant, in maintaining compliance over the next cycle of compliance.
• Lack of both awareness of industry best practices and experience with relevant tools available that fit the requirements for the company’s environment.
In our experience, we have found that companies end up investing in the wrong tools and wrong areas, and have no strategic direction when architecting solutions, due to a lack of awareness of the target environment or not having the skilled personnel to make key strategic security decisions. These shortcomings leave the target environment vulnerable, which has a direct impact on the business and the company’s liabilities.
PCI DSS Compliance Services BenefitsWe use a hybrid model of both offshore and on-site consultants to deliver the best value for the money spent on a PCI DSS 2.0 compliance program. We deploy a pool of experienced subject matter experts across various areas of technology and business environments to ensure program success.
To execute a PCI compliance program, we provide tools that help all along its entire lifecycle, from planning, to design and build, to testing and through validation.
The key benefits of our PCI compliance framework include:
• The client gains awareness of its credit card data environment, and can apply our recom-mendations and best practices to achieve and keep the environment secure and up-to-date.
• Our structured, efficient and practical opera-tional implementation of tools and inter-work-ings can be applied across multi-organizational design dimensions in ways that are scalable and extensible.
• Whether it’s a first-time implementation or a project to maintain PCI compliance, the process is painless, as a result of our precision planning and program management expertise throughout the engagement.
• Implementation benefits result in best-in-class, cost-effective and easy maintainability of PCI DSS compliance.
• On-the-job, environment-relevant training enables organizations to best fit personnel to function.
• Our large pool of experienced consultants across various industry verticals have experi-ence utilizing technology to enable and protect the client’s business.
• Program management capabilities for smoothly managing complex compliance programs.
PCI DSS 2.0 Compliance Work in ActionWe were recently engaged by a leading North American retailer to help remediate its credit card data environment. We delivered the following services:
• Program management for the PCI remediation program.
• Delivery of security tools from design and install to operations.
• Design and architectural expertise across the client’s infrastructure.
• Remediation of all findings during the PCI assessment for ROC activities.
The entire engagement was delivered in 11 months using a team of 21 professionals working with the client’s 75-plus resources and another 35 vendors. We implemented more than 25 tools and services.
Several hurdles were overcome during the reme-diation program. One key challenge was a late scope change from PCI DSS 1.2 compliance to PCI DSS 2.0 compliance. The program not only addressed gaps implementing 290 PCI controls, but also incorporated the scope change working closely with the client. The program was delivered on time, and with significant cost savings to the client. Figure 3 (next page) shows the extent of work accomplished.
Post-remediation, a QSA vendor assessed project performance to create an ROC. Figure 4 (on page 5) illustrates a progress card created each week in pursuit of ROC readiness.
Figure 5 (on page 5) shows how a tracker is used to reveal readiness to attain an ROC.
cognizant 20-20 insights 4
Figure 3
PCI Remediation System, Device and Process Impacts
Figure 6 (on page 6) highlights program tracking across the key conceptual areas within our framework, covering each of the 12 requirements defined by PCI DSS.
The client was pleased with the results, noting that the engagement used realistic and achievable timelines where milestones, deliverables and resources were continuously fine-tuned to keep key activities on track. In fact, the CIO later told us: “We were on schedule and under budget by $500K. It was an amazing achievement for the entire team.”
AppendixPCI Background3
“Assess” is to take an inventory of your IT assets and business processes for payment card processing and analyze them for vulner-abilities that could expose cardholder data. “Remediate” is the process of fixing those vul-nerabilities. “Report” entails compiling records required by PCI DSS to validate remediation and submit compliance reports to the acquiring bank
and global payment brands. Carrying out these three steps is an ongoing process for continuous compliance with the PCI DSS requirements. These steps also enable vigilant assurance of payment card data safety.
PCI DSS 2.0 Requirements
PCI DSS version 2.0 is the global data security standard that any business of any size must follow to accept payment cards, and to store, process and/or transmit cardholder data. It presents common-sense steps that mirror best security practices.
Step 1: Assess
• The primary goal of assessment is to identify all technology and process vulnerabilities that pose risks to the security of cardholder data that is transmitted, processed or stored. Study the PCI DSS for detailed requirements. It describes IT infrastructure and processes that access the payment account infrastructure. Determine how cardholder data flows from beginning to end of the transaction process,
Program Accomplishments
PCI 1
.2.1
&� 2
.0 C
ompl
ianc
eTools Programs
Number of Newly Implemented 12 Number of
Modified 1 Number of Phased Out 2 Number of Newly
Implemented 3 Number of Modified 5 Number of
Phased Out 2
ProcessesNumber of Newly Created Process Flows
30Number of Modified Process Flows
3Number of Phased Out Process Flows 4
Number of Project Management Processes Followed
8Number of Proj Templates Created & Used
7N/A
SystemsNumber of Applications Touched
8Number of Servers Touched 40
Number of Operating Systems & DBs Touched
9Number of POS Devices Touched 1,071
Number of Desktops Touched
1,418Number of Laptops Touched
300
Number of Client Proprietary Systems Touched
97Number of JBM Machines Touched
850Number of WCSs Touched 1
Number of Jump Boxes Touched 4
N/A N/A
Network DevicesNumber of Routers Touched 1,039
Number of SwitchesTouched 3
Number of Wireless Access Points Touched 89
Number of WLCs Touched 2
Number of Firewalls Touched 6
Number of Content Switches Touched
2
Number of Modems Touched 1,200
Number of VPN Concentrators Touched
2Number of Devices - NTP Configuration 1,320
N/A N/A N/A
Policy, Procedures, StandardsNumber of Policies Created 11
Number of Policies Modified 2
Number of Procedures Created
21Number of Procedures Modified
0Number of Policies Phased out
1Number of Standards Created
31
OthersNumber of Stores Touched 1,824
Number of Runbooks Created 10
Number of User Accounts Cleaned 37,000
Number of New Service Implemen-tations 7
Number of Service Imple-mentations - Modifications
1
Number of VA & PenTest Remediations Performed
(149, 6)
Number of Business Justifications Docs Created 3
Number of People taken Security Awareness Training
885
Number of RFCs Created 282
Number of Anti-Virus Upgrades 1,718
Numberof Critical Security Patches Applied
300 devices
Number of Stores - Hardware Encryption
1,110
Number of Stores – MPLS to Broadband Conversion
16Number of New Vendor Contracts Created
1Number of Vendor Contracts – Modified
8Number Scope Reduction Work Streams
7Number Scope Increase Activities
4N/A
cognizant 20-20 insights 5
Figure 4
PCI Controls: Weekly Progress
45 58 68
100
130145
172180
205212
229
247
29
60 73 75
16
7444 40
24 22 130
18 19 20 22
39 42 41 41 41 43 43 43
154
109
85
49
105
29 33 29 20 13 5 00
50
100
150
200
250
300
3/27 4/13 4/20 4/26 5/2 5/4 5/7 5/9 5/11 5/15 5/18 5/22
Nu
mb
er o
f P
CI C
on
tro
ls
InPlace
Assessments
N/A
In-progress
including PCs and laptops that access critical systems and storage mechanisms for paper receipts, etc. Check the versions of personal identification number (PIN) entry terminals and software applications used for payment card transactions and processing to ensure they have passed PCI compliance validation.
Note: Your liability for PCI compliance also extends to third parties involved with your process flow; therefore, your organization must also confirm that partner processes are compliant. Comprehensive assessment is a vital part of understanding what elements may be vulnerable to security exploitations and where to direct remediation.
• Self-assessment questionnaire (SAQ): The SAQ is a validation tool for merchants and service providers that are not required to do on-site assessments for PCI DSS compliance. Four SAQs are specified for various situations.
• Qualified assessors: The PCI Security Standards Council (PCI SSC) provides programs for two kinds of independent experts to help with your PCI assessment: Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV). QSAs have trained personnel and processes to assess and prove compliance with the PCI DSS. ASVs provide commercial software tools to perform vulnerability scans for your systems. Visit https://www.pcise-curitystandards.org/approved_companies_providers/index.php for details and links to qualified assessors.
Figure 5
Tracking PCI Readiness for ROC Status
1
23
6
10
1
2
4
25
23
11
3
6
32
7
22
28
28
22
40
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Comp Control (4)
Req1 (25)
Req2 (24)
Req3 (34)
Req4 (9)
Req5 (6)
Req6 (32)
Req7 (7)
Req8 (32)
Req9 (28)
Req10 (29)
Req11 (24)
Req12 (40)
N/A
In-place
In-progress
Not-started
cognizant 20-20 insights 6
90% 98% 100% -2%
Project Name Start End%
Status 2/20 2/27 3/5 3/12 3/19 3/26 4/2 4/9 4/16 4/23
Scope Reductions Proj # Owner 78% 98% 100% -2%Scope Reduction Activity A Joyce A J 6/1 10/3 100% 100% 100% - CompletedScope Reduction Activity B Michael A 6/1 7/31 100% 100% 100% - CompletedScope Reduction Activity C John G 1/9 3/17 100% 100% 100% - CompletedScope Reduction Activity D John G 2/27 3/19 13% 99% 100% -1% In Progress
Network Infrastructure 1.1 99% 99% 100% -1%Firewall Configuration / Routers 1.1.1 Anna P 9/6 3/15 96% 99% 100% -1% In ProgressVendor Defaults 1.1.2 John G 7/13 11/15 - - - - CompletedSystem Configurations 1.1.3 John G 8/8 11/15 - - - - CompletedPassword Encryption 1.1.4 Pam A 7/13 10/12 - - - - Completed
Encryption and Data Protection 1.2 94% 99% 100% -1%Data Storage and Retention 1.2.1 John G / Anna P 10/19 4/6 92% 99% 100% -1% In ProgressData Transmission 1.2.2 John G / Anna P 11/8 3/28 92% 99% 100% -1% In ProgressEncryption of Keys (PIN, PAN) 1.2.3 John G / Anna P 10/3 4/2 90% 99% 100% -1% In ProgressData Protection 1.2.4 Pam A 8/19 3/28 98% 100% 100% - Completed
Vulnerability Management 1.3 95% 99% 100% -1%Anti-virus 1.3.1 Pam A 7/18 4/3 95% 98% 100% -2% In ProgressPatch Management 1.3.2 Pam A 7/25 4/5 97% 99% 100% -1% In ProgressVulnerability Management 1.3.3 Anna P 10/3 4/6 93% 99% 100% -1% In ProgressSoftware Life Cycle Management 1.3.4 Pam A 6/1 4/6 92% 99% 100% -1% In ProgressWeb Application Firewalls 1.3.5 John G 9/19 2/3 99% 99% 100% -1% In Progress
Access Control 1.4 77% 99% 100% -1%Access Control 1.4.1 Anna P 9/1 3/28 99% 99% 100% -1% In ProgressTwo Factor Authentication 1.4.2 Anna P 9/28 3/31 71% 99% 100% -1% In ProgressRADIUS 1.4.3 Pam A 28/E920 3/31 71% 99% 100% -1% In ProgressPassword Management 1.4.4 John G / Pam A 9/28 3/31 71% 75% 85% -10% In ProgressFacility Management 1.4.5 Peter K 9/28 3/31 71% 75% 85% -10% In ProgressPhysical User Access 1.4.6 Peter K 9/28 3/31 71% 75% 90% -15% In ProgressStorage Media 1.4.7 Peter K 9/28 3/31 71% 75% 90% -15% In Progress
Network Monitoring 1.5 62% 87% 100% -13%Audit Logging 1.5.1 Anna P 10/12 4/15 82% 94% 100% -6% In ProgressTime Synchronization (NTP) 1.5.2 Pam A 9/30 4/10 98% 99% 100% -1% In ProgressWireless Access Monitoring 1.5.3 John G / Pam A 10/19 4/20 79% 90% 100% -10% In ProgressInternal / External Vulnerability Scanning 1.5.4 Peter K 12/15 4/10 75% 90% 100% -10% In ProgressInternal / External Penetration 1.5.5 Peter K 2/27 4/10 76% 83% 100% -17% In ProgressIntrusion Detection 1.5.6 Pam A 10/11 4/10 69% 99% 100% -1% In ProgressFile Integrity Monitoring 1.5.7 John G 10/11 4/7 69% 99% 100% -1% In Progress
Securities Policies Management 1.6 62% 87% 100% -13%Security Policy 1.6.1 Pam A 10/19 4/5 49% 100% 100% 0% CompletedUse Policy 1.6.2 Peter K 10/7 12/5 - - 100% CompletedInformation Security Policy 1.6.3 Peter K 10/7 12/5 - - 100% CompletedSecurity Awareness 1.6.4 Peter K 10/7 12/5 - - 100% CompletedHR Policy 1.6.5 Peter K 10/7 12/5 - - 100% CompletedVendor Policies 1.6.6 Mike A 10/7 12/5 - - 100% CompletedIncident Response Planning 1.6.7 Mike A 11/7 1/27 - - 100% Completed
In Progress
At Risk
Not Started
Late
11-Mar-11 PCI Remediation: Project Timeline DashboardFeb Mar Apr
In Progress (Variance <10%)
At Risk (Variance 10-19%)
Late (Variance >19%)
Completed
On-hold
Not Started
2/29
Tasks%
Tasks%
Tasks%Var
3/11 Current Plan Variance
Illustrative Workstream Tracking Across Six PCI DSS Conceptual Areas
Figure 6
Step 2: Remediate
Remediation is the process of fixing vulnerabili-ties — including technical flaws in software code or unsafe practices in how an organization processes or stores cardholder data. Steps include:
• Scanning your network with software tools that analyze infrastructure and spot known vulner-abilities.
• Reviewing and remediating vulnerabilities found in on-site assessment (if applicable) or through the self-assessment questionnaire process.
• Classifying and ranking the vulnerabilities to help prioritize the order of remediation, from most serious to least serious.
• Applying patches, fixes, work-arounds and changes to unsafe processes and workflows.
• Re-scanning to verify that remediation actually occurred.
Step 3: Report
Regular reports are required for PCI compliance; these are submitted to the acquiring bank and global payment brands that you do business with. The PCI SSC is not responsible for PCI compliance. All merchants and processors must submit a quarterly scan report, which must be completed by a PCI SSC-approved ASV. Businesses with large flows must conduct an annual on-site assessment completed by a PCI SSC-approved QSA and submit the findings to each acquirer. Businesses with small transaction flows may be required to submit an annual attestation within the self-assessment questionnaire. For more details, talk to your acquirer.
About CognizantCognizant (NASDAQ: CTSH) is a leading provider of information technology, consulting, and business process out-sourcing services, dedicated to helping the world’s leading companies build stronger businesses. Headquartered in Teaneck, New Jersey (U.S.), Cognizant combines a passion for client satisfaction, technology innovation, deep industry and business process expertise, and a global, collaborative workforce that embodies the future of work. With over 50 delivery centers worldwide and approximately 156,700 employees as of December 31, 2012, Cognizant is a member of the NASDAQ-100, the S&P 500, the Forbes Global 2000, and the Fortune 500 and is ranked among the top performing and fastest growing companies in the world. Visit us online at www.cognizant.com or follow us on Twitter: Cognizant.
World Headquarters500 Frank W. Burr Blvd.Teaneck, NJ 07666 USAPhone: +1 201 801 0233Fax: +1 201 801 0243Toll Free: +1 888 937 3277Email: [email protected]
European Headquarters1 Kingdom StreetPaddington CentralLondon W2 6BDPhone: +44 (0) 20 7297 7600Fax: +44 (0) 20 7121 0102Email: [email protected]
India Operations Headquarters#5/535, Old Mahabalipuram RoadOkkiyam Pettai, ThoraipakkamChennai, 600 096 IndiaPhone: +91 (0) 44 4209 6000Fax: +91 (0) 44 4209 6060Email: [email protected]
© Copyright 2013, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is subject to change without notice. All other trademarks mentioned herein are the property of their respective owners.
About the AuthorVibha Tyagi is a Principal Consultant within Cognizant’s IT Infrastructure Services Program Management Practice. She is responsible for executing multimillion-dollar, large and complex infrastructure programs, and has spent 19-plus years working with companies across the consumer goods, retail, telecommunications, energy and financial services industries. Vibha received a master’s degree in electrical engineering and an M.B.A. from the University of Chicago’s Booth Graduate School of Business. She can be reached at [email protected] | Twitter: @VibhaTyagi2 | LinkedIn: http://www.linkedin.com/pub/vibha-tyagi/0/794/8b6.
Footnotes1 PCI DSS is a standard developed by the PCI Security Standards Council, which is an open global forum;
to read related documents, see: https://www.pcisecuritystandards.org/security_standards/documents.php?association=PCI-DSS.
2 The time for each of the phases varies, based on the client’s infrastructure footprint and current state of IT processes.
3 This material was extracted from the PCI Security Standards Council; for more information on the council, visit its Web site: https://www.pcisecuritystandards.org/index.php.