A clear walkthrough into the process of how to become PCI DSS compliant.
When we set out to build Recko, we always knew that we had to make data security one of our core pillars. Well, we have taken a giant leap towards our goal of being recognized as a fully data secure organization by becoming compliant with the Payment Card Industry Data Security Standards v3.2.1 (PCI DSS v3.2.1.). PCI DSS compliance is one of the most coveted compliance standards out there.
The PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that companies that are associated with payment cards (storing, processing, transmitting, etc.) maintain a secure environment. The PCI DSS as managed by the PCI SSC, an independent body that was created by some of the major card brands
Recko does not require any Cardholder Data (CHD) to carry out its processing activities, sometimes CHD might come up when clients upload data on our platform
Even though Recko does not require any Cardholder Data (CHD) to carry out its processing activities, sometimes CHD might come up when clients upload data on our platform. This made us want to be PCI DSS compliant as we want to leave no stone unturned in assuring our customers that we are adhering to the most stringent data security standards.
PCI DSS compliance
There are 4 levels of compliance based on the number of card transactions processed annually:
- Level 1: Merchants that process over 6 million card transactions annually
- Level 2: Merchants that process 1 to 6 million transactions annually
- Level 3: Merchants that process 20,000 to 1 million transactions annually
- Level 4: Merchants that process fewer than 20,000 transactions annually
For Level 1 organizations, the assessment should consist of an external audit performed by a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA). Organizations from Levels 2–4 can complete a Self-Assessment Questionnaire (SAQ) instead of an external audit. Level 2 organizations must also complete a Report of Compliance (RoC).
Our ambition of always wanting to have our security posture audited by highly qualified external parties lead us to go for a QSA audit.
Selecting a QSA
While searching for the right QSA companies, we came across a few firms that claimed to be qualified to carry out audits. But, we noticed that they were not listed on PCI SSC as QSAs. Such firms might be outsourcing the audit work to other QSAs, while they themselves might be more interested in getting into other security areas in your company like penetration testing, vulnerability assessments, etc.
We highly recommend that you work directly with companies that are listed as QSAs on PCI SSC. This will provide that extra level of assurance while starting a critical project like this.
Some of the other factors that we considered while finalizing a QSA company were:
- Location of the QSA company. This might be important because visits to your office by the auditor can be scheduled at very short notice if the QSA company has an office in the same city as yours.
After a thorough search, we finally chose SISA Information Security to carry out the external audits.
PCI DSS compliance process happened in three main phases:
The first step in this phase helped us figure out the areas where the PCI DSS requirements would be applicable (Scope of the audit). This is usually done by sharing information about CHD flow and other required details with the QSA.
Once this was completed, a GAP Assessment was performed which helped identify all the risks associated with the scope environment. The outcome was an action tracker that identified all the risks that had to be mitigated by us. The action tracker acted as the cornerstone for the remaining steps in the compliance process.
We cannot stress enough about being on the same page with the QSA on the points mentioned in the action tracker. It is worthwhile to spend time on the tracker and get all the required clarifications before starting the remediation phase. Any sort of misunderstanding on the steps that need to be taken to mitigate risks can lead to extensions in the timeline, as the risk mitigation steps usually require implementation from either the engineering or the IT teams
The team that was created to work on remediation almost fully consisted of people from Engineering/ IT. To close out the remediation phase in a timely manner, we recommend that the team members selected should be such that they can dedicatedly work on the remediation phase and not have to juggle with other workstreams. The temptation is always to push the timelines a bit and pick up some other work, as the audit dates, in general, can be modified for PCI DSS compliance certification (Some of the other certifications require you to pick an audit date in advance. In such certifications, it requires considerable effort to change the audit dates)
Carrying out frequent VAPT tests and closure of issues identified in them is mandatory for PCI DSS compliance. You would need to keep this in mind at the very start of your compliance journey, as it has massive implications on both - your overall timelines as well as cost. External vulnerability scans have to be carried out by Approved Scanning Vendors (ASVs). So, while selecting a QSA, you might want to dedicate some time to picking an ASV, and also if required, a vendor to carry out the other vulnerability and penetration tests
We chose solutions that helped us deal with multiple gaps at the same time
- TrendMicro was used to deal with areas related to IDS/ IPS, AV, and FIM
- Jumpcloud allowed us to solve for areas related to endpoint security, password management, and access management.
We automated a lot of the remediation steps, which would help us reduce the operational overhead in maintaining the same.
We scheduled regular check-ins with the QSA to ensure that the remediation steps that we were taking were in line with the requirements of the standard. This was useful, as any kind of deviations from the standard were pointed out and quickly rectified. This ensured that we did not encounter any surprise findings during the final audit
3. Final audit
The final audit was a relatively smooth affair as we were confident that we had mitigated all the gaps. Once the audit was completed, we were declared PCI DSS compliant and also issued the final deliverables (Certificate of Compliance, Attestation of Compliance, and Report of Compliance)
Overall, we felt that the entire process not just helped us become PCI DSS compliant, but also put in place long term security policies and procedures that we adhere to religiously on a daily basis.
The entire process not just helped us become PCI DSS compliant, but also put in place long term security policies and procedures that we adhere to religiously on a daily basis
We hope this article will help you when you start the process of becoming PCI DSS compliant.