The Do-Re-Mi of PCI Compliance

Several years ago, I discovered Nirvana: the ability to point and click on a website and have pretty much anything I wanted shipped right to my door, sometimes at a cheaper price than at any store in my city. What bliss!

Ah — in the good ole days of online shopping, we were so happily ignorant. Back then, from a security perspective, the average consumer only cared if there was an “s” at the end of the HTTP in the Web browser.

However, the online shopping love affair dwindled as headlines about credit card breaches began to dominate the news. My own personal opinion also took a nosedive after I began specializing in Payment Card Industry Data Security Standards (PCI DSS) assessments five years ago, which would unfortunately bring to an official end any happy ignorance about online shopping.

I was not the only one feeling disillusioned with credit card handling behind the scenes. PCI DSS gained more traction, and merchants and service providers started taking note of what PCI DSS meant to them and the way they had been doing things for several years. There was great confusion about what was actually in-scope.

The PCI DSS instructs organizations to ensure that all systems within the cardholder environment are in-scope. Version 1.2 states the following:

“The PCI DSS security requirements apply to all system components. ‘System components’ are defined as any network component, server, or application that is included in or connected to the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include, but are not limited to the following: web, application, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (Internet) applications.

“In addition to the network, server and application components noted above, every single laptop, backup tape, point-of-sale (POS), POS terminal, and so on, which process, transmit, and/store cardholder data, are in-scope for your PCI assessment. Also in-scope: Every location which processes, transmits, and/stores cardholder data (whether printed or electronic), along with every individual (whether employed by your organization or a third-party) who views, touches and works with the systems in-scope.”

So how does one take a thorough and objective look at their cardholder environment and correctly scope it?

Julie Andrews expressed some good advice in The Sound of Music when she sang “Let’s start at the very beginning, a very good place to start.” But where oh where is the beginning of PCI-compliance? It’s certainly not with requirement 1.1.

Let’s start from Do-Re-Mi. Here’s a five-step approach to help you move forward with scoping your cardholder environment.

1. Become an Outsider

Employees in charge of PCI DSS compliance are often so entrenched in day-to-day operations that they find it difficult to see beyond the weeds. This explains why it is mostly easier to hire a third-party assessor to define your cardholder environment rather than attempting it internally.

In the past five years, I have seen companies achieve success right off the bat with scoping their cardholder environment accurately, and I’ve seen companies take much longer to get on the right path. Companies that achieved early success share one common reason: They assigned an individual or individuals to manage the initiative and allowed those employees to be objective. The employees stepped out of their everyday roles and functions, and took on the viewpoint of how an outsider would see their company.

2. Get a 10,000-Foot View of Your Cardholder Environment

The first thing I do when coming on-site is hold a meeting with every person who is involved with the cardholder data process with a large whiteboard present. In your new role as an outsider, ask each person to define what he or she knows about how cardholder data is obtained by your organization. These paths are called “data flows.”

Typical data flows for merchants include, but are not limited to, credit card numbers obtained from online orders, retail stores, phone (customer service), third parties, and even how credit cards are received when a system fails in stores or the network is down. (Be sure to write the data flows on the whiteboard as they are being discussed.)

Each type of organization also has individual methods that may not necessarily apply to other merchants. For example, a catalog company may have mail-order forms. A college or university may have different payment methods at remote schools and locations, bookstores, cafeterias, for alumni gifts and more. A restaurant chain may have several locations and varying ways diners pay for their meal.

Typical data flows for service providers vary by their business model, but mostly revolve around methods in which connected parties transmit cardholder data to the organization.

3. Define the Data Flow Milestones

Once you’ve listed all the methods of how credit card data is captured, it’s time to define the milestones for each data flow individually. Milestones are the systems, and their locations, that the credit card touches during the data flow.

4. Dig Into Each Milestone

This is the analysis portion of the exercise to guarantee systems, applications, locations, employees, third parties and components are in-scope.

Each milestone must be analyzed for the who, what, when, where, and how cardholder data is processed, transmitted and stored. At this point, it is important to be accurate in the details, so it is common for there to be follow-up for unknown information.

5. Put the Pieces Together

Once you have gone through steps 1-4, you should have sliced and diced it to the point where you have an understanding of how cardholder data enters your organization, how it is handled, how it is stored, and how it is transmitted. These are key elements to your compliance effort with PCI-DSS.

Congratulations, as this is your scope for your organization’s PCI compliance initiative!

Of course, you may possibly have a long list of questions to ask other groups to fill in the blanks. With a lot of work and dedication, you can effectively define the scope accurately, leading to a reduction of risk and costs that will have you whistling “Do-Re-Mi” as you walk down the hallways.