Data relating to payment cards is among the most sensitive in the finance industry. PCI regulations seek to minimise security risks relating to payment card data.
Facilitating a successful PCI Compliance programme can seem daunting. It takes a team effort, a systematic approach, and some key tools to be strategically deployed throughout the organisation to help protect sensitive PCI data.
By: Ayesha Khine, Information Security Analyst & Guest Blog Contributor
1. Policies & Procedures
A good place to start is by creating a PCI Compliance handbook, describing how each requirement will affect the business. This helps prevent confusion and policy inconsistencies, and standardises everyone’s expectations throughout the organisation. The handbook will include all your typical information security policies, such as Data Retention, Access Controls, Data Ownership, Governance Processes and Security.
It is a PCI Compliance requirement (12.11) to have a regular self-auditing process in place, which ensures security practices are maintained. This should also be part of the handbook.
A key recommendation is to appoint a czar – a head of the programme. They will distribute the relevant policies and procedures to the various departments, and make sure they have fully understood them. Give each department the templates they need, to help them manage their responsibilities efficiently.
By standardising policies and procedures, the business can tighten its reigns on errors, or variations, which may occur. It is important to remember to keep all documentation up to date as things change, such as changing roles, or when an incident response deviates from the plan.
PCI requirements change slightly on a regular basis, so it is important to be aware of what changes have been added to the standard.
2. Assigning Roles
PCI Compliance requirements cover a complex scope of areas within the organisation.
The best way to get control of this complexity is to break your compliance programme up in to manageable pieces, and assign the best possible leaders to take responsibility for each section. This will help improve your visibility of the programme, and will be key to its overall success.
Everyone needs to know what they are doing, and how they are going to achieve it. Notify employees of their responsibilities under PCI, including what evidence they need to produce and when.
Distribute a RACI (Responsible, Accountable, Consulted and Informed) chart which identifies who is leading on what. This will help people identify whom to speak to, to get clarity on anything they’re unsure about.
Setting out PCI programme deliverables each month can help minimise the overwhelming amount of information required. Regular notifications should encourage employees to set time aside for their PCI responsibilities, and will help people keep their PCI Compliance responsibilities in sight.
3. Securing Unstructured Data
Sensitive PCI data is often copied into documents and files, such letters, internal analyses and management communications. Many PCI requirements (e.g. 3.2, 3.2.1, 3.2.2, 3.2.3) focus on securing and controlling access to these files, under a variety of highly dynamic business circumstances.
It is critical to take control of access to these documents and files, and be ready to demonstrate that control under audit or spot-check at any time. The process for achieving this control can be summarised as:
- Identify where your sensitive data lies
- Identify the ‘business owner’ for all sensitive data – who is best placed to understand the sensitivity and security of the information, and to make decisions regarding it? Implement processes to smoothly manage the transition of ownership as the business evolves.
- Determine who should have access to what, and implement an access certification programme to regularly align the correct access with evolving business needs
A clear matrix of roles and responsibilities across each department can help guide the most appropriate ownership and data access decisions. The consequences of mismanaged unstructured data could involve serious security breaches, data loss or exposure, fraud and legal problems – not to mention serious PCI non-compliance.
Data Access Governance (DAG) allows organisations to extend access governance to unstructured data. This should encompass all unstructured data stores, from File Shares to SharePoint Sites. A consistent, unified view of access controls across all platforms is key to efficiently meeting compliance requirements.
Tools which automatically control access to information at a granular level provide a powerful way to properly secure unstructured data.
Torsion Information Security is a powerful tool for meeting PCI requirements around unstructured data, including management of ownership, access automation and regular certification of security configurations.
4. Securing Structured Data, Applications and Hardware
Security Information and Event Management (SIEM) solutions provide real-time analysis of security events around the applications and hardware in the Card Holder Data Environment (CDE).
Identity and Access Management (IAM) solutions can help to meet PCI’s strong emphasis on managing users’ identities, including additions, modifications, and deletions of user credentials. Activities by terminated user accounts should also be actively monitored by the SIEM.
PCI also includes some demanding requirements around the security of computing end-points and host PCs. Redundant services and scripts must be disabled, and antivirus solutions must be deployed, maintained and fully patched. The SIEM ties these together, collecting logs, monitoring ports, and detecting vulnerabilities in protocols and services.
Finally, the SIEM enables auditing, and exception alerting for accesses and updates to system-level objects pertaining to structured data, such as database tables and stored procedures.
5. Data Security is Everyone’s Job
Data Security and PCI Compliance needs to be part of everyone’s daily routine. Helping to keep sensitive data secure needs to stay in the back of everyone’s minds, regardless of their role.
Continuous training for employees can help them adhere to PCI requirements, identify circumstances that could breach PCI Compliance, and help address data security vulnerabilities.
Daily reminders, posters and newsletters are all valuable tools for constantly reinforcing employee responsibilities towards data security. Other resources such as blogs, vlogs, videos, white papers, libraries, reports, and infographics can also be a huge help.
It is also important to have a clearly-defined process for communicating to employees, such as updates to responsibilities, role assignments and standards. Equally, the process needs to clearly define how employees can respond to queries, circumstances they identify, or seek assistance with challenges they’re dealing with while carrying out their PCI Compliance responsibilities.
A few more points to consider when securing PCI:
Firewalls – Make sure they are configured correctly as they will be very little help if they are not configured to filtering the correct traffic in and out of your environment.
SPAM Filter – Phishing attacks is still a very typical way of collecting data from unknowing users. Having a strong SPAM filter can help evade the risk of being vulnerable to such an attack.
Remote Access – A large amount of data breaches is still caused by unsecure remote access. Making sure remote access has been configured suitably can enhance protection against attacks.