Preparing for a Report on Compliance (ROC)
There’s no getting away from the fact that preparing for a PCI DSS ROC can be a bit of a trial, and particularly for those who are experiencing their first visit from a QSA. Like most trials, the good news is that future visits do get easier as your infrastructure gets up to spec. That first assessment, however, will often involve some significant preparation work and investment, such as a redesign of network architecture or the purchase of hardware and software. It could also mean changes in working practices, the introduction cryptographic controls and change processes as you elevate the security posture of the environment to a level acceptable for a successful PCI DSS audit.
Scoping is the single most important part of any PCI DSS assessment. Establishing your scope can be challenging, especially if different types of payment channels exist which contribute to a complex cardholder data environment (CDE). The QSA will spend a considerable amount of time understanding all technologies, systems, people and processes involved in each of these payment channels.
One of the biggest misconceptions we keep coming across is that network segmentation is a PCI DSS requirement. Let’s put this one well and truly to bed: segmentation is categorically not a PCI DSS requirement! Having said that, in today’s modern environments, there are lots of benefits in segmenting your CDE, not least in easing the pain and limiting the scope of an assessment. Without segmentation, every single system, node, workstation and networking device would need to comply with every requirement of the Standard. By segmenting the systems that are directly involved in the storing /transmitting/processing of cardholder data (CHD) from the rest of the organisation’s network, the scope of the assessment will be reduced significantly. And don’t forget that any system connected to those systems directly handling CHD, also need to be segmented.
Understand where data resides and whether it’s required at all
Apart from establishing your scope and segmenting your CDE, the biggest challenge organisations face is understanding where CHD is stored. We often find organisations which are not aware of all the CHD that is being retained. CHD can be stored in locations as diverse as legacy systems’ (potentially offsite) backups or Excel databases in the finance department. Without a well-defined data retention and disposal policy, many organisations find themselves storing CHD unnecessarily. Quite often, this is due to the existence of a process that has never been questioned. URM’s QSAs are well versed in understanding processes and procedures and helping to identify any oversights.
What can you do to ensure the assessment goes as smoothly as possible? The glib one-word answer is preparation. In addition to securing the availability of all necessary staff members, ensure that all relevant policies, procedures, network and data flow diagrams are readily available to the assessor. Not being able to provide documents in a timely manner will not result in a failed control, but the delay may prolong the time an assessor needs to spend onsite, potentially increasing the costs of an assessment.
To avoid any confusion or surprises during an assessment, and to gain insights as to what an assessor will ask/observe/validate/verify, we strongly recommended that you download a copy of the ‘PCI DSS Requirements and Security Assessment Procedures’ and the ‘PCI DSS ROC Reporting Instructions’ from the PCI Council’s document library (https://www.pcisecuritystandards.org).