Payment Card Industry Data Security Standard Compliance: Key Players and Relationships. By Jason Chan

Transcription

1 WHITE PAPER: ENTERPRISE SECURITY SERVICES Payment Card Industry Data Security Standard Compliance: By Jason Chan

2

3 White Paper: Enterprise Security Services Payment Card Industry Data Security Standard Compliance: Key Players and Relationships Contents Executive summary Introduction PCI Participants PCI Evaluated Organization Internal Compliance Manager Assessing Party Internal Stakeholders Acquiring Bank (for merchants) PCI Relationships The Compliance Manager and Internal Stakeholder Relationship The Compliance Manager and Assessing Party Relationship The Compliance Manager and Acquirer Relationship (For Merchants) The Assessing Party and PCI Relationship Conclusion About Symantec Consulting

4 Executive summary In recent years, the Payment Card Industry (PCI) Data Security Standard (DSS) has emerged as a significant influence on companies that accept, store, process, or transmit payment cards and the related card data. Considering the breadth and complexity of the PCI Data Security Standard, a single individual may not be able to implement an effective compliance effort. This white paper defines the key players in the PCI compliance assessment and management process explains the key relationships between each of these players and illustrates these relationships with examples. This information helps individuals involved in an organization s PCI compliance management efforts to develop the necessary relationships. With a thorough understanding of the interactions required, both on a one-time and an ongoing basis, organizations can implement the steps necessary to achieve and maintain PCI compliance. Introduction Regulatory compliance has become a standard component of managing information technology and IT security. Regulations such as Sarbanes Oxley (SOX), Gramm-Leach-Bliley Act (GLBA), and the Health Insurance Portability and Accountability Act (HIPAA) affect many organizations of varying scope and size. In recent years, the PCI DSS has emerged as a significant influence on organizations that accept, store, process, or transmit payment cards and the related credit and debit card data. With many breaches of credit card data already on record and identity theft on the rise, the PCI DSS is designed to ensure a high degree of data security to protect card holder data. The PCI DSS is specific and granular in its requirements. Organizations that have already developed a significant compliance management effort are best prepared to administer ongoing PCI compliance. However, smaller companies or those without significant compliance experience that employ efficient management and implementation can quickly gain an understanding of PCI requirements although not necessarily compliance. While individuals familiar with any of the less-prescriptive regulations welcome this specificity, the far-reaching and comprehensive scope of the PCI DSS can require significant effort to achieve compliance. To help achieve and maintain compliance with the PCI standard, successful organizations address compliance as an ongoing process that involves the entire business. Organizations that build and maintain the appropriate internal and external relationships can ensure an efficient and multi-directional flow of information necessary to establish an ongoing compliance effort. 2

5 PCI Participants Before discussing these critical relationships in greater detail, this section defines the key players in the PCI compliance assessment and management process. PCI The Payment Card Industry is the industry group of payment card brands (Visa, MasterCard, American Express, Diners Club, JCB, Discover ) that defines the Data Security Standard and administers compliance and assessment. Visa, through its Cardholder Information Security Program (CISP), receives PCI audit results for service providers. Visa s CISP also administers and publishes the list of approved PCI assessment vendors and compliant service providers. Evaluated Organization The evaluated organization is the merchant or service provider organization, included within the scope of the PCI standard, which is evaluated for compliance. Merchants accept payment cards for goods or services (e.g., grocery stores and e-commerce retailers). Service providers process cardholder data in support of merchants, banks, or even other service providers (e.g., POS providers and payment transaction processors). Internal Compliance Manager The internal compliance manager is the representative of the evaluated organization responsible for administering PCI-related compliance efforts. A dedicated compliance officer often fills this role; in other cases a CSO, CISO, or other member of security or audit management assumes the compliance role. Assessing Party For many service providers and merchants, the assessing party is a Qualified Data Security Company (QDSC) an organization that is approved through PCI to perform PCI security assessments. For service providers and merchants that process a smaller amount of cardholder records, the assessing party may be an internal audit or information security team. Internal Stakeholders Internal stakeholders are representatives of the evaluated organization that are responsible for individual PCI requirement areas. An example of an internal stakeholder is an IT security director who is responsible for determining the password and user account policies of the organization. A number of PCI requirements relate directly to IT security controls. Therefore, the evaluated 3

6 organization needs to designate an IT representative responsible for assisting with the assessment of these PCI requirements. A human resources (HR) manager is another example of a PCI internal stakeholder. The PCI standard requires pre-employment screening for employees in certain positions and also requires that employees acknowledge and agree to specific security policies. An HR manager can verify current and ongoing compliance with the relevant PCI requirements. Following is a list of sample stakeholder areas of responsibility typically involved in managing PCI compliance, along with sample compliance areas in parentheses: Human resources (background checks) Application design and development (development lifecycle, code reviews) Database administration (data encryption, logging) Physical security (visitor and escort policy, data center monitoring) IT operations (patch management) User management and provisioning (granting and revoking access) Records management (log and record retention) Data archive and recovery (backup and media storage) Incident response (security incident response policy and testing) Security policy and awareness (employee training, security policies) Legal/vendor management (contracts with third-party vendors) Depending on the size and complexity of the organization, some of these stakeholder roles may not exist or may overlap. However, by identifying the responsible internal parties, all PCI requirements can be appropriately evaluated and issues not in compliance can be remediated in a reasonable, efficient manner. 4

7 Acquiring Bank (for Merchants) The acquiring bank works with the merchant to authorize, settle, and otherwise process payment card transactions. The acquiring bank receives and acts upon PCI audit results for merchants. PCI Relationships After identifying each of the key players in the PCI compliance assessment and management process, an examination of the relationships between each of these players is instructive (see Figure 1). Evaluated Organization Assessing Party (may be internal or external) Internal Compliance Manager Acquiring Bank (for merchants) Visa or Mastercard (for service providers) Internal Stakeholders Figure 1. Relationships necessary for PCI compliance 5

8 The Compliance Manager and Internal Stakeholder Relationship The set of relationships that is most critical to ongoing PCI compliance involves the compliance manager and the various internal stakeholders that administer focus areas under the purview of PCI. When an organization first begins the process of becoming PCI compliant, the compliance manager establishes working relationships with these stakeholders so that each is aware of their responsibilities and roles in the process. The compliance manager familiarizes all stakeholders with the specific PCI requirements for which each is responsible. Once expectations are set, roadmaps and milestones for achieving and maintaining compliance with each PCI requirement can be developed to achieve consensus. As the environment changes and the PCI standard is updated, these parties work together to ensure that new systems, applications, and processes are compliant. Additionally, the compliance manager notifies the stakeholders of any modifications in the PCI standard or assessment process. This important relationship can be further explained via two illustrative examples. Example 1: Stakeholder Relationship Vendor Management The PCI standard mandates that certain stipulations be set forth in contracts with vendors with which the organization shares cardholder data. To assess these PCI requirements, the compliance manager works with various business units to determine which vendor relationships are within scope. Then, once the relevant interactions have been identified, the compliance manager contacts the vendor relationship manager or legal representative to collect current copies of the contracts for assessment. After assessing the contracts, the compliance manager reports the status of each contract s compliance and any outstanding issues. If contracts require amendment to become PCI compliant, the compliance manager and vendor relationship manager work together to address the issues and ensure that all vendor agreements are compliant. Over time, the vendor relationship manager informs the compliance manager of any new contracts that may be within the scope of the PCI DSS and any changes in legal or contractual language. Likewise, the compliance manager informs the vendor relationship manager of any relevant updates to the PCI standard. Example 2: Stakeholder Relationship Database Encryption and Management Some of the most detailed and complex PCI requirements involve the storage of cardholder data at rest (including within databases). Central to these requirements is the topic of data encryption. To properly manage these PCI requirement areas, the compliance manager works closely with the internal parties responsible for database management and encryption. 6

9 These stakeholders should brief the compliance manager on all relevant (within PCI scope) instances of cardholder data storage. Similarly, the compliance manager works with these stakeholders on the various data storage elements that are necessary for PCI compliance (e.g., key management, encryption algorithms). The Compliance Manager and Assessing Party Relationship The compliance manager should also maintain a close relationship with the party responsible for assessing the organization s PCI compliance. For merchants, this may be an internal group such as the internal audit or information security team. In many circumstances, this party is a Qualified Data Security Company. Regardless of whether the assessor is internal or external to the organization, during the actual PCI assessment, the compliance manager works with the assessing party to determine the status of each PCI requirement. The assessing party evaluates any compensating controls and completes the Report on Compliance (ROC) or self-assessment questionnaire, depending on the organization s PCI category. The assessing party may also help develop remediation plans and timelines for addressing unmet requirements. Since PCI compliance is evaluated on an annual basis, the assessing party must inform the compliance manager of any changes in the PCI standard or assessment process. Also, the organization may be required to perform quarterly network scans as a component of PCI compliance. In these instances, the assessing party usually works with the compliance manager to facilitate the network testing and any resultant remediation efforts. The Compliance Manager and Acquirer Relationship (For Merchants) Merchants are responsible for providing PCI assessment results to their acquiring bank. This process often includes a discussion of remediation efforts, including prioritization and scheduling. Regular communication between the internal compliance manager and the acquiring bank is essential to ensure mutual understanding and agreement on annual assessment and quarterly scan results. The Assessing Party and PCI Relationship The assessing party monitors the PCI DSS (through Visa) for updates to the PCI standard and program. As the various payment card brands approve these changes, the revisions are published on Visa s web site and conveyed via training to participating QDSCs. The assessing party (internal or external) works with the compliance manager to understand and integrate PCI updates. 7

10 Conclusion Considering the breadth and complexity of the PCI Data Security Standard, a single individual may not be able to implement an effective compliance effort. Further, because PCI compliance is an ongoing process with quarterly scan and annual assessment requirements relegating PCI responsibilities to a one-time project or checklist item is not a viable option. Organizations that recognize and embrace the value of developing and enriching internal and external relationships to facilitate PCI compliance management will have the easiest path toward becoming, and remaining, compliant. More information about Symantec Payment Card Industry Services is available at About Symantec Consulting Symantec Consulting Services implement and maintain comprehensive, customized security and availability solutions that enable organizations to protect and manage critical business assets. The Symantec Advisory practice of Symantec Consulting Services offers trusted advisors applying insight and expertise to security-related business problems. These professionals deliver vendor-neutral security consulting services designed for proactive security risk management. The Symantec approach addresses the enterprise security lifecycle from strategy development to incident readiness, with a continuous focus on minimizing risks, stabilizing security costs, and reducing complexity. Symantec Advisory consultants combine technical expertise with a business focus to create comprehensive, vendor-neutral security solutions for industry-leading companies. Symantec s delivery process emphasizes knowledge transfer, ensuring every aspect of a project s findings can be successfully implemented and managed. Symantec Advisory practice has established best practices and proven methodologies in the following five key service areas: Symantec Secure Application Services Symantec Operation Services Symantec Security Compliance Services Symantec Strategy Services Symantec Secure Infrastructure Services 8

11

12 About Symantec Symantec is the world leader in providing solutions to help individuals and enterprises assure the security, availability, and integrity of their information. Headquartered in Cupertino, Calif., Symantec has operations in more than 40 countries. More information is available at For specific country offices and contact numbers, please visit our Web site. For product information in the U.S., call toll-free Symantec Corporation World Headquarters Stevens Creek Boulevard Cupertino, CA USA Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products are trademarks of their respective holder/s. Any technical information that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. NO WARRANTY. The technical information is being delivered to you as-is and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained herein is at the risk of the user. Copyright 2006 Symantec Corporation. All rights reserved. 03/