• Save
A Framework for PCI DSS 2.0 Compliance Assessment and Remediation
 

A Framework for PCI DSS 2.0 Compliance Assessment and Remediation

on

  • 2,328 views

A plan for compliance with the Payment Card Industry Data Security Standard (PCI DSS) 2.0, involving assessment, remediation and reporting. We offer instructions for each step to ensure that credit ...

A plan for compliance with the Payment Card Industry Data Security Standard (PCI DSS) 2.0, involving assessment, remediation and reporting. We offer instructions for each step to ensure that credit cardholder data and information is safeguarded.

Statistics

Views

Total Views
2,328
Views on SlideShare
2,097
Embed Views
231

Actions

Likes
0
Downloads
0
Comments
0

4 Embeds 231

https://twitter.com 115
http://www.scoop.it 106
http://inoreader.com 8
http://digg.com 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

A Framework for PCI DSS 2.0 Compliance Assessment and Remediation A Framework for PCI DSS 2.0 Compliance Assessment and Remediation Document Transcript

  • • Cognizant 20-20 InsightsA Framework for PCI DSS 2.0 ComplianceAssessment and RemediationBy methodically identifying and remediating IT security gaps,companies can quickly and cost-effectively comply with the PaymentCard Industry Data Security Standard. Executive Summary Our PCI Compliance Approach The Payment Card Industry Data Security Standard PCI security for merchants and payment card (PCI DSS) 2.01 is an information security standard processors is the vital result of information for any company that handles cardholder infor- security best practices contained in the PCI mation for the major credit card providers. The DSS. The standard includes 12 requirements for five global payment brands — American Express, any business that stores, processes or transmits Discover Financial Services, JCB International, cardholder data. These requirements specify the MasterCard Worldwide and Visa Inc. — incorpo- framework for a secure payments environment; rate the PCI DSS 2.0 in each of their data security for the purposes of PCI compliance, their essence compliance programs. As such, any company that is three steps: assess, remediate and report (see stores, processes or transmits cardholder data is Appendix). required to comply with these requirements. Each merchant or payment card processor company is Our approach to PCI compliance includes two required to submit an annual compliance report phases, the assessment phase and the remedia- to its merchant bank. tion phase.2 Each phase can be executed inde- pendently of the other and is then followed by This white paper focuses on three key aspects of reporting. PCI DSS 2.0 compliance. First, it provides a brief background on PCI DSS 2.0 and our framework Assessment Phase for PCI DSS 2.0 assessment and remediation In the assessment phase we typically work a 10- services. Second, it discusses a set of issues seen to 12-week session, where the usual activities by companies seeking PCI DSS 2.0 compliance. include: Third, it describes how we help address these PCI DSS 2.0 compliance issues. This paper concludes • Data gathering (typically three weeks). with a case study that shows how we applied • Current state assessment (typically two weeks). our framework in an engagement with a leading • Gap assessments (typically three weeks). North American retailer to quickly and cost-effec- • Future state roadmap (typically two weeks). tively achieve PCI DSS 2.0 compliance. The duration of the assessment phase can differ cognizant 20-20 insights | february 2013
  • Assessment Phase Planning • Inventory of tools and utilities identified. Week Number 1 2 3 4 5 6 7 8 9 10 11 • Current state policies. Data Gathering 3 • Gap assessment matrix of PCI controls. • Best practices followed (if applicable). Weeks Current State Assessment 2 • Future state roadmap. Weeks Gap Assessment 3 Weeks Roadmap to Future State 2 Weeks Remediation Phase During the remediation phase, our team evalu-Figure 1 ates the effort based on the gaps and the roadmap delivered during the assessment phase.based on the size of the client infrastructure — the Implementation duration depends on gaps foundnumber of devices in the cardholder data environ- during the assessment phase. Typical activitiesment. Figure 1 shows an example for constructing during this phase include:an assessment-phase plan. • Planning (typically, four to six weeks).PCI DSS is based on technical and operational • Designing (eight to 10 weeks).requirements related to 12 different areas; data • Building (12 to 15 weeks).gathering is performed across six conceptualareas, covering the following: • Verifying (14 to 16 weeks). • Deploying (varies).• Network infrastructure. • Reassessing for report on compliance (ROC)• Encryption and data protection. (eight to 10 weeks).• Vulnerability management. The reassessment (which includes any final reme-• Access control. diation as needed) is conducted in conjunction with a (QSA approved) third-party assessor to• Network monitoring. gain a report of compliance. Figure 2 illustrates a• Security policies management. remediation-phase plan.Data gathered is then assessed for gaps across During the planning phase, there are multipleeach of these six areas. The gaps in the current workshops held with a core group of personnel“as is” state are then categorized as high, that will include both company resources as wellmedium and low in each area relative to the goal as our consultants.of achieving PCI DSS 2.0 compliance. The finaldeliverable includes a roadmap for remediating Overcoming Compliance Issuesthe discovered gaps in order to achieve “future” There are many PCI DSS 2.0 compliance hurdlesstate PCI DSS 2.0 compliance for the cardholder for companies that store, process and transmitdata environment. The deliverables at this phase credit card information in their processing envi-include, but are not limited to: ronments. Among these, the most critical issues• Network inventory. faced include:• Software inventory. • Incomplete awareness of the environment,• Current state network diagram of the and not understanding what is, and what is not, cardholder data environment. part of the credit card data environment (i.e., the target environment for compliance).Remediation Phase Planning Week Number 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 Plan 4-6 Weeks Design 8-10 Weeks Build 12-15 Weeks Verify 14-16 Weeks Deploy Varies Reassess for ROC 10 WeeksFigure 2 cognizant 20-20 insights 2
  • • Unavailability of skilled personnel required to • Implementation benefits result in best-in-class, both understand and maintain the security of cost-effective and easy maintainability of PCI the credit card data environment. DSS compliance.• No experience executing activities required, • On-the-job, environment-relevant training either in first time PCI DSS compliance or, once enables organizations to best fit personnel to PCI DSS compliant, in maintaining compliance function. over the next cycle of compliance. • Our large pool of experienced consultants• Lack of both awareness of industry best across various industry verticals have experi- practices and experience with relevant tools ence utilizing technology to enable and protect available that fit the requirements for the the client’s business. company’s environment. • Program management capabilities for smoothlyIn our experience, we have found that companies managing complex compliance programs.end up investing in the wrong tools and wrongareas, and have no strategic direction when PCI DSS 2.0 Compliance Work in Actionarchitecting solutions, due to a lack of awareness We were recently engaged by a leading Northof the target environment or not having the American retailer to help remediate its credit cardskilled personnel to make key strategic security data environment. We delivered the followingdecisions. These shortcomings leave the target services:environment vulnerable, which has a direct impacton the business and the company’s liabilities. • Program management for the PCI remediation program.PCI DSS Compliance Services Benefits • Delivery of security tools from design andWe use a hybrid model of both offshore and install to operations.on-site consultants to deliver the best value for • Design and architectural expertise across thethe money spent on a PCI DSS 2.0 compliance client’s infrastructure.program. We deploy a pool of experiencedsubject matter experts across various areas of • Remediation of all findings during the PCI assessment for ROC activities.technology and business environments to ensureprogram success. The entire engagement was delivered in 11 months using a team of 21 professionals workingTo execute a PCI compliance program, we provide with the client’s 75-plus resources and another 35tools that help all along its entire lifecycle, from vendors. We implemented more than 25 tools andplanning, to design and build, to testing and services.through validation. Several hurdles were overcome during the reme-The key benefits of our PCI compliance framework diation program. One key challenge was a lateinclude: scope change from PCI DSS 1.2 compliance to PCI DSS 2.0 compliance. The program not only• The client gains awareness of its credit card addressed gaps implementing 290 PCI controls, data environment, and can apply our recom- but also incorporated the scope change working mendations and best practices to achieve and closely with the client. The program was delivered keep the environment secure and up-to-date. on time, and with significant cost savings to the• Our structured, efficient and practical opera- client. Figure 3 (next page) shows the extent of tional implementation of tools and inter-work- work accomplished. ings can be applied across multi-organizational design dimensions in ways that are scalable Post-remediation, a QSA vendor assessed project and extensible. performance to create an ROC. Figure 4 (on page 5) illustrates a progress card created each week• Whether it’s a first-time implementation or in pursuit of ROC readiness. a project to maintain PCI compliance, the process is painless, as a result of our precision Figure 5 (on page 5) shows how a tracker is used planning and program management expertise to reveal readiness to attain an ROC. throughout the engagement. cognizant 20-20 insights 3
  • PCI Remediation System, Device and Process Impacts Program Accomplishments Tools Programs Number of Newly Number of Number of Phased Number of Newly Number of Number of 12 1 2 3 5 2 Implemented Modified Out Implemented Modified Phased Out Processes Number of Newly Number of Number of Phased Number of Project Number of N/A Created Process 30 Modified Process 3 Out Process Flows 4 Management 8 Proj Templates 7 Flows Flows Processes Followed C  reated & Used Systems Number of Number of Number of Number of POS Number of Number Applications 8 Servers Touched 40 Operating Systems 9 Devices Touched 1,071 Desktops 1,418 of Laptops 300 Touched & DBs Touched Touched Touched Number of Client Number of Number of WCSs Number of Jump N/A N/A Proprietary Systems 97 JBM Machines 850 Touched 1 Boxes Touched 4 PCI 1.2.1 & 2.0 Compliance Touched Touched Network Devices Number of Routers Number of Number of Number of WLCs Number of Number Touched SwitchesTouched Wireless Access Touched Firewalls of Content 1,039 3 89 2 6 2 Points Touched Touched Switches Touched Number of Modems Number of VPN Number of Devices N/A N/A N/A Touched 1,200 Concentrators 2 - NTP Configuration 1,320 Touched Policy, Procedures, Standards Number of Policies Number of Number of Number of Number of Number of Created 11 Policies Modified 2 Procedures 21 Procedures 0 Policies Phased 1 Standards 31 Created Modified out Created Others Number of Stores Number of Number of User Number of New Number of Number of Touched Runbooks Created Accounts Cleaned Service Implemen- Service Imple- VA & PenTest 1,824 10 37,000 7 1 (149, 6) (Web, Irving, POS, tations mentations - Remediations ZaleCorp) Modifications Performed Number of Business Number of People Number of RFCs Number of Numberof Number Justifications Docs taken Security Created Anti-Virus Upgrades Critical Security 300 of Stores - 3 885 282 1,718 1,110 Created Awareness Patches Applied devices Hardware Training Encryption Number of Stores ­ – Number of New Number of Vendor Number Scope Number Scope N/A MPLS to Broadband 16 Vendor Contracts 1 Contracts – 8 Reduction Work 7 Increase 4 Conversion Created Modified Streams ActivitiesFigure 3Figure 6 (on page 6) highlights program tracking and global payment brands. Carrying out theseacross the key conceptual areas within our three steps is an ongoing process for continuousframework, covering each of the 12 requirements compliance with the PCI DSS requirements. Thesedefined by PCI DSS. steps also enable vigilant assurance of payment card data safety.The client was pleased with the results, notingthat the engagement used realistic and achievable PCI DSS 2.0 Requirementstimelines where milestones, deliverables and PCI DSS version 2.0 is the global data securityresources were continuously fine-tuned to keep standard that any business of any size must followkey activities on track. In fact, the CIO later told to accept payment cards, and to store, processus: “We were on schedule and under budget by and/or transmit cardholder data. It presents$500K. It was an amazing achievement for the common-sense steps that mirror best securityentire team.” practices.Appendix Step 1: AssessPCI Background 3 • The primary goal of assessment is to identify“Assess” is to take an inventory of your IT all technology and process vulnerabilitiesassets and business processes for payment that pose risks to the security of cardholdercard processing and analyze them for vulner- data that is transmitted, processed or stored.abilities that could expose cardholder data. Study the PCI DSS for detailed requirements. It“Remediate” is the process of fixing those vul- describes IT infrastructure and processes thatnerabilities. “Report” entails compiling records access the payment account infrastructure.required by PCI DSS to validate remediation and Determine how cardholder data flows fromsubmit compliance reports to the acquiring bank beginning to end of the transaction process, cognizant 20-20 insights 4
  • PCI Controls: Weekly Progress 300 InPlace Assessments 250 247 Number of PCI Controls N/A 229 In-progress 212 200 205 180 172 150 154 145 130 109 105 100 100 85 60 73 75 74 45 58 68 44 40 50 49 41 43 43 43 39 42 41 41 29 24 16 29 33 29 22 13 18 19 20 22 20 13 0 5 0 3/27 4/13 4/20 4/26 5/2 5/4 5/7 5/9 5/11 5/15 5/18 5/22Figure 4 including PCs and laptops that access critical • Self-assessment questionnaire (SAQ): The systems and storage mechanisms for paper SAQ is a validation tool for merchants and receipts, etc. Check the versions of personal service providers that are not required to do identification number (PIN) entry terminals on-site assessments for PCI DSS compliance. and software applications used for payment Four SAQs are specified for various situations. card transactions and processing to ensure they have passed PCI compliance validation. • Qualified assessors: The PCI Security Standards Council (PCI SSC) provides programs Note: Your liability for PCI compliance also for two kinds of independent experts to help extends to third parties involved with your with your PCI assessment: Qualified Security process flow; therefore, your organization Assessor (QSA) and Approved Scanning must also confirm that partner processes are Vendor (ASV). QSAs have trained personnel compliant. Comprehensive assessment is a and processes to assess and prove compliance vital part of understanding what elements may with the PCI DSS. ASVs provide commercial be vulnerable to security exploitations and software tools to perform vulnerability scans where to direct remediation. for your systems. Visit https://www.pcise- curitystandards.org/approved_companies_ providers/index.php for details and links to qualified assessors.Tracking PCI Readiness for ROC Status Req12 (40) 40 Req11 (24) 2 22 Req10 (29) 1 28 Req9 (28) 28 Req8 (32) 10 22 Req7 (7) 7 N/A Req6 (32) 32 In-place In-progress Req5 (6) 6 Not-started Req4 (9) 6 3 Req3 (34) 23 11 Req2 (24) 1 23 Req1 (25) 25 Comp Control (4) 4 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%Figure 5 cognizant 20-20 insights 5
  • Illustrative Workstream Tracking Across Six PCI DSS Conceptual Areas 11-Mar-11 PCI Remediation: Project Timeline Dashboard 2/29 3/11 Current Plan Variance Feb Mar Apr 90% 98% 100% -2% % % % %Project Name Start End Tasks Tasks Tasks Var Status 2/20 2/27 3/5 3/12 3/19 3/26 4/2 4/9 4/16 4/23Scope Reductions Proj # Owner 78% 98% 100% -2%Scope Reduction Activity A Joyce A J 6/1 10/3 100% 100% 100% - CompletedScope Reduction Activity B Michael A 6/1 7/31 100% 100% 100% - CompletedScope Reduction Activity C John G 1/9 3/17 100% 100% 100% - CompletedScope Reduction Activity D John G 2/27 3/19 13% 99% 100% -1% In ProgressNetwork Infrastructure 1.1 99% 99% 100% -1%Firewall Configuration / Routers 1.1.1 Anna P 9/6 3/15 96% 99% 100% -1% In ProgressVendor Defaults 1.1.2 John G 7/13 11/15 - - - - CompletedSystem Configurations 1.1.3 John G 8/8 11/15 - - - - CompletedPassword Encryption 1.1.4 Pam A 7/13 10/12 - - - - CompletedEncryption and Data Protection 1.2 94% 99% 100% -1%Data Storage and Retention 1.2.1 John G / Anna P 10/19 4/6 92% 99% 100% -1% In ProgressData Transmission 1.2.2 John G / Anna P 11/8 3/28 92% 99% 100% -1% In ProgressEncryption of Keys (PIN, PAN) 1.2.3 John G / Anna P 10/3 4/2 90% 99% 100% -1% In ProgressData Protection 1.2.4 Pam A 8/19 3/28 98% 100% 100% - CompletedVulnerability Management 1.3 95% 99% 100% -1%Anti-virus 1.3.1 Pam A 7/18 4/3 95% 98% 100% -2% In ProgressPatch Management 1.3.2 Pam A 7/25 4/5 97% 99% 100% -1% In ProgressVulnerability Management 1.3.3 Anna P 10/3 4/6 93% 99% 100% -1% In ProgressSoftware Life Cycle Management 1.3.4 Pam A 6/1 4/6 92% 99% 100% -1% In ProgressWeb Application Firewalls 1.3.5 John G 9/19 2/3 99% 99% 100% -1% In ProgressAccess Control 1.4 77% 99% 100% -1%Access Control 1.4.1 Anna P 9/1 3/28 99% 99% 100% -1% In ProgressTwo Factor Authentication 1.4.2 Anna P 9/28 3/31 71% 99% 100% -1% In ProgressRADIUS 1.4.3 Pam A 28/E920 3/31 71% 99% 100% -1% In ProgressPassword Management 1.4.4 John G / Pam A 9/28 3/31 71% 75% 85% -10% In ProgressFacility Management 1.4.5 Peter K 9/28 3/31 71% 75% 85% -10% In ProgressPhysical User Access 1.4.6 Peter K 9/28 3/31 71% 75% 90% -15% In ProgressStorage Media 1.4.7 Peter K 9/28 3/31 71% 75% 90% -15% In ProgressNetwork Monitoring 1.5 62% 87% 100% -13%Audit Logging 1.5.1 Anna P 10/12 4/15 82% 94% 100% -6% In ProgressTime Synchronization (NTP) 1.5.2 Pam A 9/30 4/10 98% 99% 100% -1% In ProgressWireless Access Monitoring 1.5.3 John G / Pam A 10/19 4/20 79% 90% 100% -10% In ProgressInternal / External Vulnerability Scanning 1.5.4 Peter K 12/15 4/10 75% 90% 100% -10% In ProgressInternal / External Penetration 1.5.5 Peter K 2/27 4/10 76% 83% 100% -17% In ProgressIntrusion Detection 1.5.6 Pam A 10/11 4/10 69% 99% 100% -1% In ProgressFile Integrity Monitoring 1.5.7 John G 10/11 4/7 69% 99% 100% -1% In ProgressSecurities Policies Management 1.6 62% 87% 100% -13%Security Policy 1.6.1 Pam A 10/19 4/5 49% 100% 100% 0% CompletedUse Policy 1.6.2 Peter K 10/7 12/5 - - 100% CompletedInformation Security Policy 1.6.3 Peter K 10/7 12/5 - - 100% CompletedSecurity Awareness 1.6.4 Peter K 10/7 12/5 - - 100% CompletedHR Policy 1.6.5 Peter K 10/7 12/5 - - 100% CompletedVendor Policies 1.6.6 Mike A 10/7 12/5 - - 100% CompletedIncident Response Planning 1.6.7 Mike A 11/7 1/27 - - 100% Completed In Progress (Variance <10%) In Progress At Risk (Variance 10-19%) At Risk Not Started Not Started Late (Variance >19%) Late Completed On-holdFigure 6Step 2: Remediate • Re-scanning to verify that remediation actuallyRemediation is the process of fixing vulnerabili- occurred.ties — including technical flaws in software code or Step 3: Reportunsafe practices in how an organization processes Regular reports are required for PCI compliance;or stores cardholder data. Steps include: these are submitted to the acquiring bank and• Scanning your network with software tools that global payment brands that you do business with. analyze infrastructure and spot known vulner- The PCI SSC is not responsible for PCI compliance. abilities. All merchants and processors must submit a quarterly scan report, which must be completed• Reviewing and remediating vulnerabilities by a PCI SSC-approved ASV. Businesses with large found in on-site assessment (if applicable) or through the self-assessment questionnaire flows must conduct an annual on-site assessment process. completed by a PCI SSC-approved QSA and submit the findings to each acquirer. Businesses• Classifying and ranking the vulnerabilities to with small transaction flows may be required help prioritize the order of remediation, from to submit an annual attestation within the self- most serious to least serious. assessment questionnaire. For more details, talk• Applying patches, fixes, work-arounds and to your acquirer. changes to unsafe processes and workflows. cognizant 20-20 insights 6
  • Footnotes1 PCI DSS is a standard developed by the PCI Security Standards Council, which is an open global forum; to read related documents, see: https://www.pcisecuritystandards.org/security_standards/documents. php?association=PCI-DSS.2 The time for each of the phases varies, based on the client’s infrastructure footprint and current state of IT processes.3 This material was extracted from the PCI Security Standards Council; for more information on the council, visit its Web site: https://www.pcisecuritystandards.org/index.php.About the AuthorVibha Tyagi is a Principal Consultant within Cognizant’s IT InfrastructureServices Program Management Practice. She is responsible for executingmultimillion-dollar, large and complex infrastructure programs, and hasspent 19-plus years working with companies across the consumer goods,retail, telecommunications, energy and financial services industries.Vibha received a master’s degree in electrical engineering and an M.B.A.from the University of Chicago’s Booth Graduate School of Business. Shecan be reached at Vibha.Tyagi@cognizant.com | Twitter: @VibhaTyagi2 |LinkedIn: http://www.linkedin.com/pub/vibha-tyagi/0/794/8b6.About CognizantCognizant (NASDAQ: CTSH) is a leading provider of information technology, consulting, and business process out-sourcing services, dedicated to helping the world’s leading companies build stronger businesses. Headquartered inTeaneck, New Jersey (U.S.), Cognizant combines a passion for client satisfaction, technology innovation, deep industryand business process expertise, and a global, collaborative workforce that embodies the future of work. With over 50delivery centers worldwide and approximately 156,700 employees as of December 31, 2012, Cognizant is a member ofthe NASDAQ-100, the S&P 500, the Forbes Global 2000, and the Fortune 500 and is ranked among the top performingand fastest growing companies in the world. Visit us online at www.cognizant.com or follow us on Twitter: Cognizant. World Headquarters European Headquarters India Operations Headquarters 500 Frank W. Burr Blvd. 1 Kingdom Street #5/535, Old Mahabalipuram Road Teaneck, NJ 07666 USA Paddington Central Okkiyam Pettai, Thoraipakkam Phone: +1 201 801 0233 London W2 6BD Chennai, 600 096 India Fax: +1 201 801 0243 Phone: +44 (0) 20 7297 7600 Phone: +91 (0) 44 4209 6000 Toll Free: +1 888 937 3277 Fax: +44 (0) 20 7121 0102 Fax: +91 (0) 44 4209 6060 Email: inquiry@cognizant.com Email: infouk@cognizant.com Email: inquiryindia@cognizant.com©­­ Copyright 2013, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by anymeans, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein issubject to change without notice. All other trademarks mentioned herein are the property of their respective owners.