How can businesses go about making a thorough assessment of their compliance? Even if you’ve already completed a self-assessment questionnaire, even if you believe in your heart of hearts that you’re compliant, it’s wise to have security experts perform a readiness assessment at least once. This process will help you verify that you’ve correctly interpreted the PCI DSS rules and that your assumptions are well-founded. Very often, merchants unknowingly and inadvertently misinterpret PCI compliance guidelines and mistakenly indicate compliance. A readiness assessment can help you self-evaluate more confidently in the future and help you learn more about how and why your security measures work. Often, the assessment reveals opportunities to manage your security more robustly and cost-effectively in the future.
Three Steps to Readiness
What does a typical readiness assessment entail? It consists of three steps:
1. Figure out where cardholder data is stored, processed, or transmitted in your environment.
Where in your business process is data captured, and how is it handled? An assessor will follow the flow of card data through your network, whether it travels to a database or a third-party site. They’ll also conduct a thoroughgoing search for card data in unexpected places: stored in a spreadsheet in your file-sharing system, or hanging out on your email system.
2. Define the scope for PCI compliance.
Everywhere card data goes, PCI DSS is the rule of the land. But the opposite is also true: PCI doesn’t care about systems that don’t touch card data. So once you’ve followed the data, you can identify which systems are subject to DSS rules – and which ones you don’t need to worry about, at least as far as compliance is concerned. This information may guide your action plan, helping you save both time and money.
3. Identify gaps between your scope and the requirements.
Once you know exactly which portion of your system is subject to PCI DSS, you can compare the rules to the reality. In a readiness assessment, this will typically mean a series of interviews, inspections, and process walkthroughs, validating that all the necessary rules are in place.
Avoiding the Pitfalls
When we perform readiness assessments at LBMC, we see certain common pitfalls that we take care to address. For example, PCI requires businesses to conduct quarterly internal vulnerability assessments – this means scanning for missing patches, default passwords, and other cracks in the armor that thieves or malware could easily exploit. When you find a weakness, you’re required to review and remediate results tagged as high-risk. Then you’re supposed to run another scan that shows the problem has been addressed. Often, merchants run the scan but don’t read it. Or if they read it, they don’t clean up the problem. Or if they clean up the problem, they don’t run the scan again – and they don’t document the success. For every PCI rule (or “control”), you must have documentation to be considered in compliance. This is an easy and common rule to fall down on. So we sit down with merchants and look at their past scans, as well as their documentation. Then we complete the self-assessment questionnaire with them to identify the true answers to every question. This helps them accurately and confidently answer “yes” on each control.