When a Security Advisor performs a compliance and/or security assessment for an organization to help evaluate current compliance status and identify any potential gaps, there are several things they are often looking for that will make the path to compliance less bumpy.
If CampusGuard’s team of Advisors could write to Santa this year, below are a few things that might make the list.
1.) Up to date inventory
It is impossible to protect systems and data from compromise if you don’t know all of the places that information is stored or can be accessed. When an advisor meets with an organization, they want to see an accurate, up to date inventory of all assets within the cardholder data environment, including any servers, switches, desktops, payment card terminals, etc., with detailed information like the device locations, the make and model, serial numbers, etc. Presenting your security advisor with a comprehensive document detailing all of this information when they arrive onsite will automatically score you bonus points.
2.) Consistent policies and procedures
Documentation can seem like one of the simplest parts of a compliance program, but it is often overlooked or left as one of the last items to check off the list. Having consistent policies and procedures that can be used across all merchant areas will help not only demonstrate compliance, but will also provide staff with clear guidance on approved methods of accepting and processing payment cards and procedures for necessary compliance activities like performing device inspections, secure storage of data, secure destruction methods, etc. When a security advisor is conducting an interview with an individual merchant area and the merchant staff are able to quickly reference or produce their departmental procedures, that is a win for everyone.
3.) Educated merchants/staff
Training for staff on payment card security and general security awareness is not only a requirement; awareness is probably the biggest factor in preventing potential data breaches. Well-educated staff understand the WHY behind the requirements and security controls that have been implemented, they understand their role in protecting information, and they are also much less likely to try and circumvent controls or policies that have been put in place. Merchants who are engaged and willing to do their part to protect cardholder data are on every advisor’s wish list.
4.) General information security best practices
As your security advisor has likely told you a million times: compliance does not always equal security. While an organization may have done just enough to check the boxes for their annual PCI audit, if basic information security controls and practices are not implemented and followed all year long, the advisor will have a tough time feeling confident with an organization’s compliance status. Security controls like multi-factor authentication may not be a requirement for all systems, but in a perfect security advisor’s world, you would have to authenticate to heat your leftovers in the breakroom microwave.
5.) Scope Reduction (and P2PE)
Reducing PCI scope helps limit the number of systems that, in turn, must meet the requirements of the DSS. One of the fastest ways to reduce scope is by implementing Point to Point Encryption (P2PE) solutions that are listed on the PCI SSC website as having undergone the official P2PE certification process. P2PE solutions so dramatically reduce the effort and cost necessary to secure a cardholder data environment, it almost feels like cheating. If organizations are able to implement validated P2PE solutions and, even better yet, if they are integrated to your current point of sale application, your advisor will be thrilled (and your IT Team will adore you). P2PE doesn’t completely remove your PCI compliance responsibilities but, from a technical standpoint, it is pretty close!
6.) Defined process for new vendors
A security advisor’s worst nightmare is hearing that, after all of the work that has been performed to reduce scope and implement the applicable security controls, etc., a random department decided to start accepting payment cards, and guess what? They have employees entering in cardholder information for customers at events on general purpose laptops connected to the organization’s wireless network. This is what those in the PCI world call “scope creep”, or in the holiday spirit, the giant lump of coal you find in the bottom of your stocking. By using the laptops, that department has not only pulled those systems into the organization’s PCI scope, but now the full network is in scope as well, and all devices connected to it. This will have your advisor asking someone to pinch them, so they can wake up from this horrible dream. Making the wish list would be a defined (and enforced) process that requires any new merchants, as well as any purchase of new systems or applications, to be properly vetted and approved by the PCI Team prior to an executed contract.
7.) Third-party management
Outsourcing, particularly outsourcing to cloud-based, ecommerce service providers, is a great way for organizations to reduce their own PCI scope, but how those vendors are selected (and how they are monitored on an ongoing basis) remains a big compliance responsibility. A QSA wants to see a full list of all third-party service providers involved in the payment card process, their role, their compliance responsibilities outlined within the contract, and their ability to produce official PCI compliance documentation annually. If our team of advisors could have been in Oprah’s audience, we would have heard, “You get an AoC! You get an AoC! and You get an AoC!” Okay, that might be a stretch, most security advisors are human after all, so would probably also accept a car.
8.) Incident Response Plan
Knowing how to identify a potential breach and the immediate steps to take following one are critical. During an assessment, the advisor will want to see the organization’s incident response plan, with reference to incidents involving payment card data specifically. Even more important than having the plan is making sure all applicable staff have access to it and understand their roles and responsibilities. If Santa could keep all the cyber criminals on the naughty list and stop data breaches entirely, we might be able to knock this one off the list….but, since this one seems even a little over Santa’s pay grade, organizations will just have to remain prepared.
If you think about it, it is pretty obvious that security experts love acronyms; it’s just their nature. QSA, PCI, SAQ, P2PE, EMV, ASV, VoIP, the list goes on and on and on. The good thing is they also love teaching, so if you ever catch one rambling on, don’t be afraid to interrupt and remind them that not everyone loves acronyms as much as they do.
What’s on your organization’s information security and compliance wish list this year?
Some additional comments from our dedicated Security Advisor Team:
[Hobby]: Wish lists are great! For this list I’d add having a risk management program and regular risk assessments, which is a foundational component of effective compliance programs. Also, since we don’t often receive everything on our wish list, if Santa doesn’t bring you an up-to-date inventory or an Incident Response Plan, these are all good items to carry forward as New Year’s resolutions. Happy Holidays and we look forward to working with you in the New Year!