Lecture_259

.pdf

School

University of Toronto *

*We aren’t endorsed by this school

Course

568

Subject

Information Systems

Date

Dec 6, 2023

Type

pdf

Pages

2

Uploaded by ColonelOysterMaster630

Report
239 Managing a PCI DSS Project to Achieve Compliance You want to engage the ISA or QSA to help you with Step 7 below. PCI Assessments are an annual process, where all components that are a part of how your company stores, processes, and transmits cardholder data are assessed. You can find a list of QSAs at the PCI Council’s website. Keep in mind, Level 1 merchants are not required to use a QSA, and in fact can self-assess after having an employee complete the Internal Security Assessor program. Many companies opt to go the QSA route but remember that hiring a QSA does not transfer your liability to that QSA if you have a breach. You are still ultimately responsible for your ongoing compliance. Step 7: Perform a Gap Analysis After your team has gone through the SAQ, the network scan results, and potentially the reports from your QSA including a ROC, you now must prepare a document that lists out the gaps in your compliance. Your gap analysis document will set the stage for the creation of your compliance plan. To assist with your gap analysis, you should put together a worksheet that lists each requirement and indicates whether you are compliant or not. You can also use the worksheet to initially assign the requirement to a compliance team member. Part of your plan should include building out some very basic documentation such as a data flow map for all of your card data to a list of in-scope systems. For those of you that must validate as a Level 1, you will already be required to do this. For those of you who are filling out an SAQ, this is required both for compliance and to drive your compliance process. Step 8: Create PCI DSS Compliance Plan Following the steps above, you now have the steps needed to create your PCI compliance plan. As discussed throughout this chapter, you should take all these elements and bring them into your compliance plan. Your plan should include the gaps that are standing in the way of your PCI DSS compliance efforts and what your organization plans to do to stay compliant year after year. Once all the gaps are closed, your compliance plan will be the live document that ensures you stay com- pliant with PCI DSS. If you need guidance on which gaps to tackle first, consider looking at the Prioritized Approach for PCI DSS and the accompanying tool in the Document Library section of the PCI Council’s Website. Step 9: Prepare for Annual Assessment of Compliance Validation To maintain compliance, you should start over at Step 1 and begin the process again every year. The good news is that most of what you need to do is already complete, and you are mainly validating that you are still PCI DSS compliant. THE PCI DSS PRIORITIZED APPROACH For those companies that feel lost among the mountain of remediation that needs to be done, the PCI Council may have some help for you. The Council publishes the Prioritized Approach for PCI DSS and continues to maintain and update that document as they publish changes to PCI DSS. While the approach provides guidance to those individuals responsible for steering a PCI compliance project to completion, it needs to be customized for each organization to most efficiently meet your needs. There are two documents available for download—a written document outlining the approach and a spreadsheet to help manage your process. NOTE How can you use the PCI Prioritized Approach to make PCI DSS easy for you? • Use the document to plan your PCI project from current state to compliant and secure state.
240 PCI Compliance • Use the spreadsheet for ongoing planning of the next steps and identifying weak areas/next area to handle. • Use the spreadsheet to track the status and create a report of compliance status for senior managers. The PDF document describes the approach and gives some background on why the approach was created, it describes objectives, and it outlines the six milestones in their plan. The other document is a spreadsheet that contains the entire PCI DSS with a milestone number next to each requirement. Most companies that use this tool will add more columns to it to bring in their assessment data and will change the milestones to be in line with their particular project milestones. If you have no mile- stones defined, use these as a reference. Remember, you will probably need to adjust the milestones to fit more appropriately into your company’s current compliance plan. THE VISA TIP While the Technology Innovation Program (TIP) is only from one of the payment brands, we felt it necessary to cover it here in this chapter as it is potentially a nice shortcut to obtaining compliance. One of the loudest complaints we hear from folks who feel that PCI DSS is forced upon them goes something like this: “If the payment system would just be secure, we wouldn’t need this thing!” While that is technically correct, payment security is absolutely a shared responsibility. A secure payment system is a start, but so are secure enterprises. As of this writing, the Visa TIP still allows companies to bypass specific annual reporting requirements by meeting a certain minimum set of standards. Unlike the Compliance Acceleration Program (CAP) that used fines and interchange penalties to motivate merchants to comply with PCI DSS, there is no true financial incentive to participate in the TIP today outside of lower compliance validation fees. In order to qualify for the benefits of the program, merchants must meet the following baseline: Validate PCI DSS compliance within the previous 12 months or have submitted to Visa (via their acquirer) a defined remediation plan for achieving compliance, based on a gap analysis. Confirm that sensitive authentication data (i.e., full contents of magnetic stripe, CVV2 and/ or PIN data) is not stored, as defined in the PCI DSS. The merchant must not be involved in a breach of cardholder data. A breached merchant may qualify for TIP if they have subsequently validated PCI DSS compliance. 75% of your transactions must originate through any combination of enabled and opera- tional chip-reading terminals (US merchants must have dual-interface terminals to support contactless), a PCI-validates Point-to-Point-Encryption (P2PE) solution, or an industry- standard tokenization solution that meets EMVCo’s tokenization specification. An enabled device under this program means that your payment terminal must accept and process an EMV or contactless card (not just be capable of doing this). Note that the transaction itself does not need to be EMV or contactless, but the terminal must be capable of processing both of those payment types. Merchants that have upgraded their terminals with a slot for EMV and a contactless reader but cannot accept either in exchange for goods and services do not meet this requirement. The TIP does not address card-not-present transactions but that transaction volume is included in the numbers used to determine the 75% qualifying level. If this is an issue, consider any number of strategies that could remove those transactions from the counts such as outsourcing card-not-present processing or creating a separate merchant relationship for your online store.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help