You receive a letter from your bank: “Congratulations, you just passed 2.5M credit card impressions in the last 12 months.” (Break out the Champagne). “We noticed we don’t have a PCI DSS AOC for you, would you kindly upload it to our portal?” (Screeeeeech!).
What’s a PCI DSS AOC? We’re glad you asked.
The Payment Card Industry Security Standards Council (the PCI SSC, led by the big five card brands) has developed a minimum set of physical, computational, and governance standards known as the Data Security Standard (PCI DSS) that all credit card issuers, merchants, and processors have signed on to in their contract with their acquiring bank. An Attestation of Compliance (AOC) is the document that attests that all of the applicable parts of the standard have been, and are being, adhered to.
Sounds simple enough, there are twelve requirements, how hard can it be?
In fact, putting together a program that meets PCI’s rigor can be a major task.
At a high level, the 12 requirements cover (This is not an exhaustive list)
- All network types and restrictions are documented and approved.
- Hardening guides exist for all types of equipment used, no unnecessary tools, applications, or services are provisioned within the cardholder data environment (CDE).
- Evidence that the configurations are all implemented as documented and that they are functioning as intended.
- Appropriate cryptographic schemes for both storage and transmission of the cardholder data.
- Anti-malware protection and intrusion detection mechanisms.
- Robust software development, maintenance, and change management processes.
- A comprehensive role-based access mechanism has been implemented.
- Identity and access mechanisms, as well as login security with VPNs and multi-factor authentication, are in place.
- Physical security of all the in-scope assets meets all the requirements (including credit card readers, point of sale terminals, paper, and backup tapes with CHD).
- Logging and alerting mechanisms exist and are functioning.
- The various forms of required testing of the environment are taking place regularly (21 distinct test reports are the minimum needed each year).
- All the training, policies, procedures, and third-party responsibilities are well understood by all involved. Incident response training and control failure response is ongoing.
In practice, your program will look something like this:
- First, you have to determine whether you are a Merchant or a Third Party Service Provider (TPSP) since TPSP’s are not allowed to submit some of the Attestation types. The difference is primarily on who owns the Merchant bank account, you (you are the Merchant), or your customer/client (you are a TPSP).
- The next thing is to find out from the bank whether they will allow you to submit a Self Assessment Questionnaire, or whether they want a Qualified Security Assessor (QSA) to do a full Report on Compliance (ROC). The Standard has 12 requirements, and 254 sub-requirements but the full report on compliance contains a minimum of 1114 questions to answer, since some of them ask “For each of the things you just identified, tell us... “. A QSA can assist with an SAQ too, so you can shorten the learning curve. Though the security requirements are the same, the SAQs tend to contain a specific subset of the full ROC from a validation perspective and don’t require the evidence to be spelled out in detail the way a full ROC does.
- The hardest part for most organizations is figuring out the scope of the assessment. PCI scope is defined as the people, processes, and technologies that store, process or transmit cardholder data, connected systems, and the systems that can affect the security of that data. This will cover all of your retail outlets, web-sites, data processing facilities, phone-based ordering and support mechanisms, offsite storage of backups, even the mobile apps developed for an agent or consumer use. A comprehensive inventory of all networks, hardware, software, and applications within the scope, and network diagrams and data flow diagrams will be needed.
- You also need to have a formal governance program with explicit policies and procedures covering each of the 254 sub-requirements.
- Once the scope is determined, the configuration instructions and implementation records need to be complete and available to show to the QSA. You may need to re-create some of the identity and access management or role and privileges documentation if you have an otherwise stable but aging environment.
- For the actual assessment, a minimum of one example (for first-time assessments), or a year’s worth (if this is a second or subsequent assessment) of both the Administrative and Technical controls will need to be demonstrated to be functioning.
- Various records of implementation, changes, training, and testing all need to have been created and preserved.
- A regular cadence of reviews and testing every quarter will have to be created.
- Some tasks are required to be demonstrated as occurring “at least annually”, so it’s a good idea to preserve most records for at least two years.
- The assessor is required to interview samples of your staff to make sure they understand the policies and procedures and/or know-how to manage and troubleshoot the infrastructure.
- If any part of the environment is outsourced, your due diligence records of vendor selection and your continued management and oversight of the vendor(s) will come into play.
So your PCI DSS compliance checklist should encompass at least the following:
- Merchant or Service Provider.
- SAQ or ROC.
- Network and data flow diagrams.
- Governance policies and procedures.
- Standards for configurations and issues such as data retention and disposal, roles, frequencies of reviews.
- Calendar of required reviews and tests which produces many different kinds of records generated by operations and maintenance, plus documented quarterly management oversight of the environment.
- Knowledgeable staff who can answer the interview and observation portions of the assessment.
- Vendor management records.
All this is a lot to ask of the various departments involved: IT, Network managers, Legal, Software Development, DevOps, Support, Sales Associates, Customer Satisfaction teams, HR, and vendors. It’s also a lot of very specific and detailed information to validate and preserve. If all the above seems as daunting as a climb of Mt Everest, a Qualified Security Assessor is trained annually on all the requirements and how to determine if they are appropriate to your environment. Call Truvantis where we can provide any combination of a Virtual Chief Information Security Officer (vCiso) service to manage the entire program, our professional services team who can assist in creating and validating every aspect of the program, and our QSA team who can perform an assessment, write up the formal reports and provide the correct form of Attestation of Compliance at the end. Now you can break out the Champagne.