The PCI standards give you a check list (a bunch of "standards"). The natural thing to do when you get a list is to work your way through it, right? Right. Well, guess what, that stinks. We tried that - our head hurts & we chased our tail, killed some time and dough; with little of value to show for it. We are doing this to protect our environment, to find the risks and eliminate them or mitigation them. That means become PCI compliant does NOT start with the check-lists. This "work breakdown" (not quite a plan), gives you an approach to getting there.
Strategies
Avoid - Transfer
No storage
No transmission
equates to external partners
Isolate
r
Minimize the scope; physical, logical,
Protect
Evolve
r
[speculating a little here but...] the standards "seem" to be well layered; meaning "C" builds on "B", "D" builds on "C". Jumping right to "D" level compliance can be brain numbing - start small and work your way up seems logical.
Level "B" first
Level "C" second
Project Guidelines
Project Team / Resources
educate the team first!
r
You won't know / remember everything but build a foundation. You need to know what questions to ask, what kinds of things to look for. Your QSA will help to assess the details and come up with remediation strategies-approaches.
establish governance agency
use structured approach
r
Does not mean totally linear. Yes, you have to understand Current State before you Assess it, but you don't need to understand the current state of everything. Feel free to take some services through from start to end - learn how to apply a "becoming compliant" process with something small. There is a risk that you take measures which do not "scale" well or would have been better concieved at a wholistic level but just keep in mind "reusability" (can I able this solution to multiple scenarios), "scalability).See the Vector - Progress graphic to understand this concept.
document everything!
r
- processes- decisions (& rationale)- correspondance with QSA
prescribed methods need policy/proc
r
Any/All instituted changes need the backing/support of formal (vetted, approved) policy - procedure.
QSA throughout the effort
Prioritize
Active Stakeholders
r
- Information Systems- Finance- Revenue / Sales agencies- Your Bank
Measure progress
Strategize / Plan
Develop Mitigation Strategies (see branch)
r
Some of the "macro" ones listed below. Understand and refine those for started.At a "micro" level - do this in context to your threat vectors - do NOT just randomly apply the PCI standards, maybe that works for some people but it seems more logical to have a threat-risk as a frame of reference. You are doing this to protect your environment, address the risk - that is the the driver (not the standards).
Apply Strategies (how do we remedy)
r
Consider the followng (be comprehensive) - physical elements- people- process (policy-procedure)--- day-to-day operations--- how do "prove" we are doing what we said we'd do?
Use your QSA
r
Remeber we have our guideline/control to use them throughout the process but it is particularly important here. Make sure that your remedies are sound (not only adequate but also not overboard!)
Target State
Directions must be prop'd by Policy-Proc
Plan (how to get there; what who)
new business model - vendor partnerships
new methods. new job resp.
system upgrades, device upgrades
segregation, education, "clean up", etc
Execute
Do it; work the plan
Validate it (assessments)
Assess - Analyze
Index of potential issues
Index of threat vectors
r
Typically cross system but can be specific "systems". For example; "POS Devices", "System-X", "System-Y", "Paper Handing / People". Probably a few different ways to do this.
Business Requirements
r
If Card Data is stored, we need to understand why - what function it serves. Our compliance solutions cannot cripple service delivery. This does not mean that "reasons" cannot be challenge. Brianstorming can help to identify alternate solutions. For example;- Business needs to issue refunds at times; we need to Card Data for that? Alternate solution: re-obtain the card holder data viable?- Business needs to process recurring payments - we don't want to ask the customer for their card data every months. Alternate solution: tokenization
Current State
Index of Business Services (revenue)
Interview / Survey results
Information / Process Flows & Narratives
r
Made sure you answer (document) all the questions the PCI survey is going ask you. This means extra levels of details. For example; are the users using unique ids?, do printed/produced materials in the full card number?, is the a support policy-procedure for the work?,
Identify Card Handers (People)
r
Can do this are the organizational group and job level. At some point education will need to be targeted to individuals (org mgmt can handle ensuring specific individuals are identified).
