5 Steps to Prepare for a PCI DSS Assessment
If you hadn’t heard, NASA’s Artemis Program—the first endeavor to go back to the moon in 50 years—has stalled a bit. Though the new rocket—known as the Space Launch System—has been in the works for years, even now that it’s out on the pad and seemingly ready, the agency is taking its time to launch. That’s because NASA knows how high the stakes are—there are billions of dollars invested and their reputation as space explorers of the future is on the line.
You can never be too prepared for something so critical, and the same is true for your upcoming PCI DSS assessment. You might not be launching a rocket, but the prep for this compliance assessment is still a major task for any organization, no matter its size.
That’s because something just as delicate as a billion-dollar rocket hangs in the balance—personal information. If your organization stores, processes, or transmits credit card transactions, you’re required to comply with PCI DSS. The standard includes approximately 300 specific requirements (with even a few more in the new v4.0 release) —that specify the necessary framework for a secure payment environment.
To ensure you’re compliant, a PCI QSA must evaluate the details of your environment on a regular basis. But how do you prepare for something like that, especially if it’s your first time through this? Where to start?
As a PCI QSA that has performed hundreds of these assessments over many years now, we’re now going to provide 5 steps that will help any organization find its footing in PCI DSS preparation.
How to Prepare for Your PCI DSS Assessment
In using these 5 steps, you’ll simplify the necessary work ahead of your assessment and maximize the effort of relevant resources.
1. Complete a Risk Assessment.
Because the intention of PCI DSS is to reduce the risk of credit card breaches, it makes sense to start here by analyzing your risk. Every organization, regardless of if they’re in the payment security business or not, should understand how effectively manage its own risk—but for those of you processing transactions, it’s a must to complete detailed risk analysis on your environment.
That makes risk analysis that much more important. Now, your goals in this process should be to do the following:
- To determine the threats and vulnerabilities relevant to your services performed and assets;
- To identify gaps and track remediations of those gaps; and
- To define critical assets including hardware, software, and sensitive information - and then determine risk levels for those components.
With this information, you’ll be able to assign a prioritization level for reducing risk, e.g., prioritizing those relevant to systems that will be in scope for PCI DSS ahead of those other company systems and networks.
(If you need help in that area, read our article on the new scoping validation requirements under PCI DSS v4.0. This may be an area where you’d prefer to contract with a QSA firm to validate your scope.)
2. Document Policies and Procedures.
The risk assessment will tell you a lot—once it’s been completed, you’ll have a much clearer view of your security threats and risks. Now, you can begin determining your organization’s security posture.
Not only are policies and procedures a large part of the foundation for any security program, but they also comprise a large percentage of the PCI DSS requirements. Especially given the new version of the standard, your business leaders and department heads should first familiarize and arm yourselves with the details of the new PCI DSS requirements.
Together with the results of your risk analysis, you’ll be able to establish detailed security policies and procedures that both comply with the standard and are tailored to your business processes and security controls within the organization.
3. Identify Compliance Gaps.
Next, you’ll build upon this groundwork. Your key stakeholders and relevant personnel should by now understand the PCI DSS requirements—review them again in detail to discuss any potential compliance gaps and establish a remediation plan for closing those gaps.
At this point, it’s very important you have the full support of leadership who can authorize the necessary funds and manpower to implement any necessary remediation activities. Because even once the remediation plan is completed, it may also be reassuring at this stage to once again contract with a QSA firm for a gap analysis.
How would that help? They can either:
- Help determine high-level areas that would are not compliant; or
- Include a review much like a full PCI DSS assessment with the big difference being that you can miss a requirement and not “fail.”
Your QSA would review your security policies for accuracy and completeness while also helping identify any additional compliance gaps that need remediation before your full-scale assessment. Once you have your final control set in place, you’ll need to:
- Perform internal vulnerability scans;
- Contract with an Approved Scanning Vendor (ASV) to perform quarterly external scans; and
- Schedule the required annual penetration testing.
Typically, third parties perform these, though you’re only required to use one for the ASV scans. But it can take some time to schedule, perform, and remediate all the findings from these (if necessary). Understand that your PCI DSS assessment results will be delayed until the penetration test is completed so scheduling as early as you can is your best bet.
4. Conduct Training to Educate Employees.
After remediation activities are completed and policies and procedures are implemented, it’s time to pivot toward supporting the human element of payment card security through training and education:
- Technical employees should obtain any certifications or training classes necessary so that they can operate and monitor the security control set in place.
- Incident responders should review NIST SP 800-61.
- Non-technical employees must be trained on general security awareness practices such as password protection, as well as how to spot possible phishing or social engineering attacks, etc.
- If software development is performed at your organization, OWASP offers training materials for secure coding guidelines.
All the security controls and policies you’ve just painstakingly put into place and remediated will provide no protection if your people don’t know how to operate the relevant tools in a secure manner. Likewise, the strongest 42-character password with special characters, numbers, and mixed cases, is utterly useless if an employee writes it on a sticky note attached to their monitor.
5. Perform Maintenance.
You’ve addressed your risks through control implementation and remediated your gaps, you’ve put your security posture from pen to paper, and your people understand their roles in securing your payment card environment.
You’re ready for your full-scale PCI DSS assessment, but until that time, you should enter a “maintenance mode:”
- Conduct periodic internal audits
- Hold regular committee meetings
- Perform risk assessments
- Update policies, procedures, and security controls as necessary to ensure you respond to an ever-changing threat landscape.
The standards mandated by PCI DSS must become integrated into your everyday operation so that you not only remain secure but also ease the burden of your annual assessments.
Moving Forward with Your PCI DSS Assessment
Bob Russo, head of the PCI SSC said:
“In the case of the PCI standards, it's especially important that it does not become a once-a-year event like people think of when they think of compliance…You can be in compliance today and be totally out of compliance tomorrow.”
You now have 5 clear steps to take ahead of your PCI DSS assessment, so you’re ready to make like NASA and prepare to the fullest. But a lot rests on your knowledge of the requirements—something that might be made trickier now with the release of the updated version of the standard after so many years.
To help with that, please read our other articles that delve deeper into the new details of PCI DSS v4.0:
About PHIL DORCZUK
Phil Dorczuk is a Senior Associate with Schellman. Prior to joining Schellman, LLC in 2013, Phil worked as a PCI DSS auditor with Coalfire Systems and a consultant at GTRI. At Coalfire, Phil specialized in PCI DSS audits and gap assessments and at GTRI specialized in Cisco network equipment installation and configuration.