control, and governance
Is Your Organization Ready for a PCI Standard Audit?
Many online retailers and service providers are still trying to comply with the Payment Card Industry standard. However, with a little help from auditors, companies can be one step closer to compliance.
Stories about credit card fraud and security breaches due to faulty electronic systems abound in the news media. In April 2005 alone, two major corporations — Polo Ralph Lauren and LexisNexis — reported security breaches after hackers gained access to their systems, and in February 2006, U.S. investigators started looking into office-supply retailer OfficeMax due to a major data security breach that affected nearly 200,000 consumers.
While malicious compromises and accidental disclosures of credit card data continue to make the headlines, many companies are still scrambling to comply with the Payment Card Industry (PCI) Data Security Standard (DSS). Although the compliance deadline to meet all PCI standard requirements was June 30, 2005, some organizations are nowhere near completion in their compliance efforts. As PCI compliance efforts intensify, internal auditors can provide recommendations to help organizations be on the road to compliance faster.
Endorsed by American Express, Diners Club, Discover Card, JCB International, MasterCard, and Visa, the PCI standard requires all merchants and service providers around the world who store, process, or transmit customer credit card data to adopt aggressive security controls that ensure the integrity of customer information. "The PCI Data Security Standard was created to unify the programs run by different credit card companies, namely Visa's Cardholder Information Security Program and MasterCard's Site Data Protection Program," says David Shackleford, PCI compliance expert and manager of solution engineering for Vigilar, a security solutions company. "The reason for unifying these programs was to help merchants and service providers to better secure their environments, thereby helping them to reduce fraud and other crimes associated with cardholder data."
Credit card companies hope the standard's strict rules will lead to fewer stolen credit card numbers over the Internet. Merchants and service providers that do not comply with the security requirements, which were first introduced in December 2004, are subject to penalties or fines, such as prohibiting the merchant or service provider from participating in the credit card program and paying up to US $500,000 in fines per credit card incident. To obtain the compliance certificate, the PCI requires online retailers to complete a series of 12 steps to be certified annually and checked quarterly. These steps include:
Although the PCI standard applies to merchants and service providers who use, store, process, or transmit credit card information, compliance requirements are based on the organization's payment card processing operations. For instance, businesses are required to perform quarterly network scans to validate the security of their network perimeters. "The credit card companies classify online retailers and service providers based on the number of transactions made throughout the year," adds Earl Crane, information security manager at research firm Strategic Analysis and former senior security consultant with Foundstone, a division of McAfee.
"For many large service providers and merchants, the assessing party will be a qualified data security company — a PCI-approved organization that performs the certification assessment," says Jason Chan, technical manager with Symantec Advisory Services. Once the assessing party is hired, a vulnerability scan on the company's Web space is performed to check for any weak areas.
Companies processing a smaller amount of cardholder records may be required to complete a self-assessment compliance questionnaire. "To complete the self-assessment, smaller merchants and service providers can employ the services of an internal auditor or information security team," Chan explains. When the self-assessment is completed, the merchant or service provider submits the assessment to the acquiring bank — the financial institution that enables companies to accept payment cards for goods or services — which then reviews the self-assessment and certifies the company as PCI compliant.
Organizations also need to document efforts to protect customer account information. This information is stored inside the credit card in three tracks as part of the PCI compliance process. According to Crane, tracks one and two contain similar data, but in different formats. "Both tracks contain the account number and expiration date," explains Crane. "However, track one contains additional information, such as a customer's name, which may be used for nonfinancial purposes, while track two is used during ATM and credit card transactions; track three is a read-write track that's hardly used by banks. Because sensitive data is on multiple tracks, and the difference of protecting one track versus all three is minimal, the PCI requires for all data tracks to be protected and that data is not stored longer than necessary to conduct a transaction."
INTERNAL AUDIT'S ROLE
Regardless of the level of compliance required or the size of the organization involved, internal auditors play a central role throughout the compliance process, bearing a considerable amount of the standard's compliance management effort. At a minimum, auditors manage the entire compliance assessment effort, and in some organizations, they may be responsible for performing the compliance self-assessment. In either case, it is important that auditors responsible for auditing PCI standard compliance understand the extent of the standard and work to ensure that departments affected by the standard are identified as soon as possible.
In addition, internal auditors may be the external point of contact throughout the entire compliance process by serving as the PCI standard compliance manager. Because acquiring banks (i.e., the bank through which payment card transactions are processed) are responsible for evaluating each merchant's adherence to the PCI, auditors working as compliance managers should be in regular contact with the organization's acquiring bank. The compliance manager also must work with the acquiring bank to establish timelines and strategies for achieving compliance with the standard.
To enhance compliance activities, Shackleford recommends that organizations work closely with auditors so that work can be completed in a timely manner. He also recommends that auditors pay close attention to any area that stores or passes cardholder data during quarterly reviews, such as routers, switches, firewalls, databases, wireless systems, applications, and the use of encryption tools. "One of the most common areas that may prevent an organization from obtaining a PCI compliance certificate includes lack of encryption or firewall technologies in the appropriate places because they are such critical foundational components of the program," says Shackleford.
When reviewing organizations for compliance, auditors might want to emphasize that the standard's main goal is to enhance data security — a common goal for all organizations regardless of industry, location, or size. "The PCI benefits online retailers and service providers by allowing them to assess the status of their security with a single set of security requirements for all payment organizations," MasterCard explains on its Web site. "This results in lower costs, reduced complexity, and wider acceptance of standard security requirements for the industry."
TIPS FOR MANAGING PCI STANDARD COMPLIANCE
Many companies have been slow to embrace the PCI DDS. A February 2006 worldwide survey by The Institute of Internal Auditors of organizations that must comply with the standard found that only 34 percent were fully compliant with the standard, while 27 percent were not even thinking about starting any compliance efforts any time soon. These findings were similar to those published in January 2006 by the IT Compliance Institute (ITCI). According to ITCI, Visa reported that merely 30 percent of covered companies were compliant with the standard by the 2005 deadline.
"Many companies have to generate compensating controls for specific components of the standard, particularly when it comes to mainframes and legacy systems that cannot be changed quickly," Shackleford comments. In addition, many companies are somewhat confused by some of the controls in the standard, because they are not explicitly defined." As a result, 100 percent compliance with the standard is taking longer than expected.
Another reason for the lethargic compliance response is lack of time. "Most organizations simply don't have the time to concentrate on PCI compliance-related activities due to the number of requirements they already have to adhere to," Crane says. "Some companies have so many different requirements and mandates being pushed down on them simultaneously, that complying with the PCI is low on their priority lists."
As part of their role throughout the compliance process, internal auditors may be asked to provide recommendations to help companies enhance or initiate their PCI standard compliance programs. Below are three tips organizations and auditors should keep in mind when starting their compliance efforts.
Tip 1: Establish Responsibility
The PCI standard is wide-reaching, touching everything from human resources and vendor relations to firewall configurations and physical security. To manage the overall compliance process efficiently and effectively, it is critical to establish responsibility for all standard requirements throughout the organization. "At the corporate level, an internal compliance manager is usually the person responsible for PCI compliance," Chan says. "This role may be filled by a dedicated compliance officer, or it may be the responsibility of the chief security officer, chief information security officer, or another member of the security or audit management team."
Following are the different business units that could be involved in the organization's PCI compliance efforts and their associated activities:
"Bear in mind that depending on the company's size and complexity, some of these stakeholder roles may not exist or may overlap," adds Chan. "However, the critical issue with identifying these responsible internal parties is to ensure that all PCI requirements can be appropriately evaluated and that issues not in compliance are resolved in an efficient and reasonable manner."
Tip 2: Create an Effective Communication Structure
Regular communication with all responsible parties is an important step for an effective PCI DDS compliance program. Because compliance assessments must occur on an annual basis, internal auditors should update company stakeholders on the status of compliance evaluation and remediation activities regularly.
Furthermore, most organizations subject to the standard have to conduct quarterly vulnerability scans. "As a good business practice, scan results should be addressed in a timely manner. To do this, organizations must have an effective communications structure in place," says Chan. For instance, central data stores, such as intranet sites and Wikis (i.e., Web applications that allow users to add and edit content), work well for publishing documentation and tracking progress, whereas e-mail distribution lists, conference calls, and meetings could be used for periodic status reports or urgent updates.
Tip 3: Prioritize Compliance Efforts
Organizations subject to PCI DDS compliance must adhere to a variety of evaluation points. In fact, those processing large amounts of payment card transactions must meet more than 200 discrete requirements. "Ideally, when determining whether an organization is compliant or noncompliant, these requirements should be weighted equally, and no requirement should be given priority over another," emphasizes Chan. "However, in actuality organizations need to prioritize and schedule remediation efforts based on budget, level of effort required, project schedules, and availability of resources." Hence, once a particular requirement is identified as not being met, the compliance manager should assign the issue a remediation timeframe.
COMMON AREAS OF CONCERN
As mentioned in the previous section, all requirements should be weighted equally when determining an organization's compliance level. However, some areas require more work than others. "Usually organizations that don't have good information security management practices or that don't give PCI compliance a high priority are the ones that have the most difficulty complying with the standard," Crane comments. Below is a list of the main areas companies struggle with throughout their compliance efforts:
1. Data Storage
As would be expected, the PCI standard includes an extensive list of requirements for the proper storage and protection of cardholder data, including encryption and maintenance controls, such as encryption key controls, backup media inventory standards, and media destruction policies. The ability to verify and adhere to these standards requires the organization to have complete knowledge of all cardholder data processing and storage points, which can be one of the more difficult tasks to accomplish, especially for organizations with large and complex card-processing operations.
2. Security Policy
The PCI DDS also mandates comprehensive information security policies covering areas such as patch management, acceptable data use, systems and application development, and change control. These topics must be addressed specifically by the company's policies and procedures and must adhere to all standard requirements.
3. Logging and Auditing
Because standard mandates are meant to protect the entire cardholder data processing and maintenance chain, internal auditing is a critical component of the standard. The various logging and audit controls that the standard outlines are meant to create a reporting trail that allows audit teams to determine exactly who did what and when. These audit requirements affect actions including administrative transactions on systems, access to cardholder data, and changes in access levels and associated authorizations.
For more information about the standard, visit Visa's PCI Program Web page. (PDF, 108KB)
Finally, the ITCI published a question and answer article article about the top 10 pitfalls to avoid in PCI compliance.
Given the breadth and complexity of the PCI standard, it is unrealistic for a single individual to implement an effective compliance effort. In addition, because compliance is an ongoing process, it is inappropriate to relegate compliance responsibilities to a one-time project or checklist item. Organizations that see and embrace the value of developing and enriching internal and external relationships to facilitate compliance management will have the easiest path toward becoming, and remaining, compliant with the PCI standard.
However, the road to compliance is not difficult once organizations get started. "Compliance with the PCI standard is a good representation of security best practices," says Crane. "So, if an organization has already implemented good security best practices, complying with the standard will not be that difficult."
For organizations that are still waiting to initiate their compliance programs, auditors should remind executives that the repercussions for noncompliance extend beyond financial sanctions. According to Shackleford, the recent wave of online criminal activity is reason enough for companies to comply with the PCI standard and similar industry regulations. "Fraud and real criminal activity have superseded script kiddies and other nuisances in information security. Criminal organizations exist that are actively seeking to steal cardholder data for profit, while fraud and identity theft are at an all-time high. Complying with the PCI DDS will help companies make their environments significantly more secure and much more difficult for criminals to break into," concludes Shackleford.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.