PCI / CISP Compliance

logo
 

Background : Core Elements : Non-Compliance Risks : Warning Signs : Ongoing Changes : Next Steps : Further Reading : Self-Assessment

 


Next Steps...

Most companies will come in contact with an ASV (Approved Scanning Vendor).  Intermediary security scans are handled by the ASV.  These are the trained individuals/organizations that scan and tests for holes in your network, from the outside, as we understand it.

Audits, on the other hand, are conducted by the QSA (Qualified Security Assessor).  QSA’s are trained organizations that conduct assessments and audits, typically on behalf of the acquiring banks, such as Mercury, Heartland, Paymentech, and Chase.  For Level 1 providers, QSA’s are part of the typical security assessments. 

The lower Tier, Level 4 (under Visa definition) will rarely see a QSA, unless they are hired or are brought in, as part of an assessment or audit.  Level 4 merchants may only require an SAQ and a quarterly scan/monitoring (as mentioned above, handled by the ASV).  Don’t let that fool you, this simply means you don’t know when/if you’ll get an audit.  The fines apply in the same manner to merchants if they are not compliant, or as some would like to suggest, “compliant-leaning”.  We would suggest you move as far toward compliance as you can afford to implement, in monetary terms and manpower procedure.

The SAQ (Self Assessment Questionnaire) basically asks, in a more detailed manner, what you’ve done to protect cardholder data.  If you are not protecting this data, fines start at $50,000, as we understand. Not sure if playing Russian Roulette, in this manner is worthwhile.

Suggested path (Broad)

1. Upgrade to a router that allows for content filtering, logging, segmentation of the network, and VPN tunneling/SSL encryption. 

2. Implement a two-factor or strong authentication solution for your site as a “must”, thus no longer allowing open ports on your router(s).  Several companies offer these and prove the point that security is not convenient.

3. Separate out the Wireless & Public networks from the Point of Sale Network

4. Delete (manually or automatically) all logs associated with the storing of credit card information, especially if it is unencrypted.  Set the number of days to hold at zero, if you can continue to operate in this manner or a very small number, acceptable to your business.

5. Become aware of and responsible for your physical equipment, the activity of your staff, the physical assets with cardholder information (such as signed credit card receipts).  While some stores may not have Internet access, the responsibility for physical security for servers and unhampered input devices (terminals) still applies.  Employees with access should be cleared to the level that you can validate their access to these records.  Signed physical receipts must be kept in secure areas.  The small steps you do to protect cardholder data will save you money in the long run.

6. Establish an Internet security policy - a good starting point:

http://www.sans.edu/resources/student_projects/200711_004.pdf

And, if you haven’t done it already, implement a content-filtering mechanism to enforce your policy.  Protect your mission-critical Point of Sale application from spyware, viruses, and other malware - which could compromise the data and/or make your application inoperable, both of which are risks to avoid.

Suggested path (Specific)

1. Look to your Information Technology (I.T.) professionals to assist you in getting to everyone’s goal, “Protecting Cardholder Data”. 

Sotapop Consulting and other I.T. professionals can help you with this project, as needed. 

a.   We have at least one solution that we are testing in the area of remote monitoring and remote access.

b.      We are seeking clients who would like to test out this and other solutions.

c.       We also can provide assistance and advising, in your implementation phase and planning process.

d.      In case you are audited, we can be available to assist with the auditors, on your behalf.

e.       SAQ information is something that we can assist you in completing.

f.       Internet Security Policy, similar to handbooks, is something that we can assist you with.

g.      Since we are a reseller of computer products, we can sell you the necessary routers/firewalls and token solutions that will help you down the road towards compliance.

2. Work with your merchant processing bank to determine if they have any programs or resources to assist you in moving your organization towards compliancy.

3. Upgrade your Point of Sale/credit card application, especially if it does not encrypt cardholder data.

4. Plan to automate or manually delete cardholder personal account numbers from your system.  From the PCI perspective, Personal Account Numbers (PAN’s) do not need to be stored on your servers for any reason, according to the Payment Card Industry.

5. Find a suitable scanning vendor (ASV) which can provide the required quarterly scans.

6. Fill out the Security Audit Questionnaire (SAQ) and get familiar with its contents.  You will be responsible for filling this out, quarterly.  Again, your I.T. professionals will be able to assist with this.

7. Begin implementation of as many items as you can with the help of those in your organization with the resources you may have.  Make sure to take into consideration not just the cost, but the sustainability of your implementation.  Some ideas are great, but take care to understand that this process will need maintenance, not just one-time setup.

8.  The penalties, as defined in this document are significant; however, some of the implementation steps may also be cost prohibitive to your business.  Be reasonable and do as much as you can, taking consideration for the health of your business, as well.

sotapop
Sotapop Consulting
PO Box 192061
San Francisco , CA 94119
(415) 647-0550 office
(650) 996-6241 cell
support@sotapop.org