Using GAIT for PCI Compliance

Feature articles cover the full gamut of IT audit subjects, including the latest trends, techniques, and research in technology.

Using GAIT for PCI Compliance

As organizations continue to work on their PCI compliance initiatives — or begin their PCI compliance journey — internal auditors can provide much-needed help by using the steps outlined in the GAIT methodology.

RAQUEL FILIPEK
EDITOR, ITAUDIT

Nearly three years have passed since the compliance deadline with the Payment Card Industry (PCI) Data Security Standard (DSS) was enacted. Since then, many credit card merchants and service providers have struggled in their compliance efforts, sometimes doing too much work, while other organizations have done little if any compliance work. "There are so many PCI requirements that some organizations are spending huge amounts of money to comply when a more sensible risk-based approach could be taken," says James Reinhard, CIA, audit manager with real-estate investment company Simon Property Group Inc.

While the road toward PCI compliance might seem difficult and even wearisome, new help is on the way. Last year, The IIA released the first practice guide in its Guide to the Assessment of IT Risk (GAIT) series, The GAIT Methodology, to help managers and internal auditors identify the key IT general controls needed for an efficient and effective scope of work for Section 404 of the U.S. Sarbanes-Oxley Act of 2002. Realizing the similarities between PCI and Section 404 IT general controls, many organizations and internal auditors have used GAIT as a way to enhance their PCI compliance activities.

THE OBSTACLES

The PCI standard requires all merchants and service providers around the world who store, process, or transmit customer credit card data to adopt aggressive security controls that ensure the integrity of customer information. According to the standard, there are 12 overall PCI compliance areas that break down into 888 specific IT general controls. (For more information about the standard or the compliance areas, read "What Is the PCI?") In addition, merchants and service providers may fall on different compliance levels depending on their number of credit card transactions.

Currently there are four levels for merchants and three for service providers, in which level one is the highest level for both. More specifically, the standard requires on-site audits by a third party for level-one merchants and levels one and two service providers. Levels two, three, and four merchants and level-three service providers only have to conduct an annual self-assessment that states the company is compliant with the standard.

Given the sheer number of controls and the different merchant and service provider levels, it is not hard to understand why compliance with the standard has taken longer than expected. "Because of the huge number of PCI requirements, one of the problems many companies are having is that they are doing way too much work trying to scope everything or are not scoping the necessary controls and, as a result, are not fulfilling the necessary compliance requirements," comments Gene Kim, chief technology officer of configuration audit and control solutions provider Tripwire Inc.

Furthermore, there is little PCI guidance for organizations. "There's no guidance for PCI

What Is the PCI?

Endorsed by American Express, Discover Card, JCB International, MasterCard, and Visa, the PCI requires all merchants and service providers around the world who store, process, or transmit customer credit card data to adopt security controls that ensure the integrity of customer information.

To obtain a compliance certificate with the standard, which was first introduced in December 2004, online retailers need to complete a series of 12 steps that must be certified annually and checked quarterly. These steps include:

  • Installing and maintaining a firewall to protect data.
  • Not using vendor defaults for system passwords and other security parameters.
  • Protecting stored data by developing a data retention and disposal policy, among other activities.
  • Encrypting transmission of cardholder data and sensitive information across public networks.
  • Using and regularly updating antivirus software.
  • Developing and maintaining secure systems and applications.
  • Restricting access to data on a need-to-know basis.
  • Assigning a unique identification number to each person with computer access.
  • Restricting physical access to cardholder data.
  • Tracking and monitoring access to network resources and cardholder data.
  • Testing security systems and processes regularly.
  • Maintaining a policy that addresses information security.

Although the PCI standard applies to merchants and service providers that use, store, process, or transmit credit card information, the security practices outlined in the PCI can be used by any organization that wishes to enhance existing data controls. For instance, businesses are required to perform quarterly network scans to validate the security of their network perimeters.

compliance, so everyone's on their own as far as interpreting the correct way of complying or even auditing compliance with the standard," explains Reinhard. This lack of guidance is resulting in different compliance approaches. As Kim explains, "There's a tremendous amount of variance in compliance methodologies, thus organizations are implementing each requirement in a different way and, more importantly, they are enforcing the standard differently as well."

Finally, this lack of guidance is creating a feeling of helplessness as organizations try to make the best compliance decisions on what controls to implement. "Many organizations feel contractually helpless as they are pushed into an all-or-nothing compliance scenario," Kim says. "Either they implement every single control to be in compliance, or they implement too few controls or the wrong controls, making them noncompliant."

USING GAIT

As organizations move forward with their PCI compliance efforts, some have turned to the approach outlined in The GAIT Methodology for help. GAIT provides a set of IT principles and an approach to scope the IT general controls that need to be included in annual assessments of internal controls over financial reporting. "The PCI is a cumulative set of technical requirements auditors can use to ensure specific compliance," explains Reinhard. "Auditors are used to working with risks and control objectives and may have a somewhat difficult time focusing on specific 'yes or no' compliance responses. GAIT can assist auditors by enabling them to focus on more concrete control objectives, which will allow management to scope appropriately and defend their control strategies."

Although originally created to help organizations prepare Section 404 compliance programs that are in line with the internal control objectives established by the Committee of Sponsoring Organizations of the Treadway Commission, the Methodology has been used successfully by different organizations for their PCI compliance efforts. "By providing a common framework and scoping criteria, GAIT has helped managers, internal auditors, and IT professionals work more effectively in their Section 404 compliance efforts," says Steve Mar, associate with Resources Global Professionals, a professional services consulting firm in Seattle, Wash. As Mar explains, there are common areas where the PCI and GAIT call for management attention. The PCI compliance effort consists of 12 requirements that focus on specific IT general control areas, such as developing and maintaining secure systems applications and restricting access to data. Similarly, GAIT considers IT general controls in the network infrastructure, such as change management, operations, and security.

Besides scoping activities, GAIT can be used during the PCI compliance planning phase, as Nelson Gibbs, a senior manager with Deloitte and Touche LLP's Audit and Enterprise Risk Services practice, comments: "We've used GAIT in more of the earlier phases of our PCI compliance efforts, such as when identifying the critical systems that will be subject to review later on."

More specifically, "GAIT can help managers and internal auditors to understand the processes and systems associated with accepting, processing, and storing credit card transactions by focusing their attention on payment processing activities using a top-down approach," explains Tabitha Gallo, senior IT audit manager for Business Objects, an SAP company. "By using the principles in GAIT, organizations can make overarching decisions based on the risk of unauthorized access and use of credit card processing information and, as a result, limit their focus to key controls while minimizing resource outlays and the time needed to implement a compliant process."

Special Considerations
While the scope of work called for in GAIT for Sarbanes-Oxley Section 404 is similar to that needed for PCI compliance, there are a number of considerations internal auditors and managers need to keep in mind before using this framework. "First, auditors and managers need to realize that GAIT can help assess risks at a higher level since its main goal is to focus on financial statement accuracy and completeness, while the PCI's objectives focus on payment card industry transaction security, accuracy, and completeness," says Mar.

However, this caveat shouldn't deter organizations from using GAIT, Mar explains. "Although the risk assessments vary in their scope and detail level, auditors and managers can still use GAIT to identify common tests that can support both Section 404 and PCI testing objectives," he says. "For example, if a significant financial statement account control for Section 404 compliance relies on a control objective that calls for developing secure systems and applications, which in turn is a PCI compliance objective, then the scoping and testing might be leveraged to achieve both control objectives."

Leveraging PCI and Section 404 testing and scoping activities can save organizations time and money in the short and long term and avoid redundant audit work. "If an auditor tests a Sarbanes-Oxley application control and it works correctly, does the auditor need to retest that same control for PCI compliance?" Reinhard asks. "In my opinion, it doesn't matter what you test the control for, as long as it is tested and works."

Another issue to keep in mind is the objective nature of PCI compliance. As Gibbs explains, "scoping activities for Sarbanes-Oxley or any kind of regulatory environment are more subjective in nature. It's a lot easier to move controls in or out of scope." On the other hand, PCI scoping efforts are more objective. If there is credit card data residing on a part of the network, for example, then that part of the network is in scope regardless of how big or small it is. "While GAIT offers organizations great flexibility in determining which areas are in scope or not, when used in an environment that's not so flexible, it might not be as powerful," Gibbs adds. Again, Gibbs believes this shouldn't affect the use of GAIT for PCI compliance. Instead, he advises auditors to understand GAIT's main purpose and use the methodology appropriately, like any other tool.

Finally, managers and auditors need to keep in mind that organizations do not need a tight set of controls around business change management for GAIT to be effective. "GAIT provides a living approach that allows organizations to modify their existing IT general controls. As new elements — such as new technology, systems, or organizational relationships — are added, their impacts to the PCI process are assessed, and risks are added or downgraded," Gibbs comments. Additionally, GAIT provides a documented process that can be tailored to the individual organization, so once auditors complete the risk assessment, they have the basis for discussions with examiners and for validation with risk and governance committees.

GETTING STARTED

Before leveraging GAIT for PCI compliance and commencing the planning phase, Mar recommends auditors and managers make sure key individuals and company stakeholders support the effort. "Depending on the organization's size, the PCI compliance team may have no visibility into the Section 404 compliance effort," Mar says. "In cases like this, only when a network assessment team or operations stakeholder receives similar requests for compliance testing of the same security procedures or network controls does it become apparent to the team or stakeholder that the company has similar needs for two different purposes," explains Mar. Therefore, gaining the support of key individuals up front can help the organization consolidate similar requests and, consequently, avoid duplicating much of its scoping and testing activities.

After gaining the support of key stakeholders, the PCI compliance team is ready to begin the planning phase. "Let's assume an organization must comply with Section 404 and the PCI in the current fiscal year," Mar says. "The organization should first begin the planning phase by documenting, researching, and identifying each of the PCI's 12 core requirements and Section 404 significant accounts." As Mar explains, doing so will provide the basis to develop the scope and approach to assess common risk areas for both Section 404 and PCI compliance testing. Next, the compliance team should consider using the GAIT approach to help earmark which PCI tests can fulfill the Section 404 testing. "This can help reduce duplication of efforts and provide a basis to assert control effectiveness and compliance for both PCI and Section 404," says Mar.

As part of the planning and implementation phase, Gallo recommends that auditors help organizations stay focused. "If there isn't a significant risk of unauthorized access and use of credit card data, why spend time and resources implementing controls that will address it?" he asks. "The chance of missing a significant risk to the PCI process is minimized as a consistent and repeatable process such as GAIT is implemented." Furthermore, auditors need to understand the approach and principles discussed as part of the GAIT Methodology. To this end, Gallo recommends auditors to find a peer company that has used GAIT for Sarbanes-Oxley or PCI compliance to identify how these organizations focused their scoping efforts.

For organizations in need of more concrete guidance, The IIA will be releasing a series of case studies that provide real-life examples of companies that have applied the GAIT Methodology for PCI compliance. "These scenarios are going to be modeled after three archetypal organizations," comments Reinhard. "For example, one case study will look at the PCI compliance activities of a retail company. Overall, however, all case studies will demonstrate the thinking process of how scoping decisions were made and the effectiveness of the compliance programs."

Until then, auditors can start by getting acquainted with GAIT. "Given the current lack of PCI compliance guidance, organizations are looking for a way to consolidate their efforts just like they did when Section 404 first came out," concludes Kim. "I think GAIT provides a thinking process that can help auditors and managers to scope the necessary controls and applications that need to be in compliance and justify their decisions."

RESOURCES

For more information about the PCI standard, auditors can visit:

To download The GAIT Methodology or for additional information about GAIT, including the two most recent GAIT practice guides, GAIT for IT General Control Deficiency Assessment and GAIT for Business and IT Risk, visit The IIA's Technology Practice Web page.