Tech Insight: Navigating The Murky Waters Of PCI Implementation

If you're a security pro, you probably have a love-hate relationship with PCI compliance. You love it when you're fighting for budget. You hate it when you're dealing with loose, sometimes illogical, and redundant requirements and unpredictable assessors. Either way, most of us are stuck with it -- so it pays to know the tricks of implementing PCI in a way that works well for the security cause.

One of the biggest gripes about PCI is that it's time-consuming. Automation is key to reducing the operational impact of recurring tasks, assessments, and ensuring consistency. Most people naturally think of big, expensive automation tools and instantly launch into a sad story about lack of budget. But there are free tools (such as Puppet), and near-free tools that serve as correlation and automation engines inside existing tools.

There also are ways to automate some of your recurring tasks to meet security requirements, compliance requirements, and to produce evidence in areas ranging from log reviews to vulnerability assessments.

PCI requires log review, and the logging of certain types of events. When the assessor comes on site, he or she will need to review these logs in order to verify that you are performing the required security tasks. Many organizations schedule meetings with the assessor and administrators to sit down, review the logging configuration, and review log storage. This takes time away from our regular work and adds to our already busy schedules.

Consider using automation tools to automatically enforce logging configurations and to generate a log of these actions. Give the assessor access to a logging dashboard that offers either prebuilt, ad-hoc search queries or views developed specifically for PCI. Automation, configuration management, centralized logging, and log review dashboards are all things that are useful to the security operation regardless of assessments, so these functions offer multiple benefits while reducing time spent with the assessor. Not that we don’t love spending time with assessors.

While automation is sometimes hard or slow to implement, documentation isn’t. Documenting where your assessment evidence lives, who is responsible for it, how it works, and keeping it up to date can save a tremendous amount of time during the assessment. It can be painful convincing everyone to do the documentation -- but remind them how painful it is to answer the same questions multiple times each year, and explain that documentations will reduce meetings and questions from assessors.

Assessors will be obligated to verify some facts, but the better their understanding of the situation when they walk into the meeting, the better your chances of completing the assessment quickly. When documenting your controls and processes, create a matrix that maps items to not only PCI, but also to other relevant compliance or audit requirements. This will allow you to get a head start on other assessments, identify what can be reused, and reduce future effort.

The more information you can document, the less time you’ll spend on future assessments. Document as much as possible -- include what evidence was provided to the assessor for sampling or verification, the commands you ran to gather the evidence, and any screenshots that were created. This will help reproduce evidence in future years and reduce discussion of what is acceptable or what was provided last year.

The most important thing after creating the documentation is to ensure the assessor reads it before meeting with staff. The purpose of the documentation is to reduce effort during the assessment. When negotiating the statement of work (SOW)with your assessor, they will require you provide certain information prior to the start of the engagement, and to ensure that they will have access to the staff.

Use the SOW negotiation to your advantage as well. Require the assessor to review the provided documentation -- and to close any items that can be resolved through documentation review before coming on site. This will ensure that the assessor reviews the documentation before meeting with your staff -- if they don't, they are in violation of your contract, and you can turn the tables on the PCI process.

The intent of any assessment is to understand areas of risk with an eye on remediating vulnerabilities and improving your operation. Unfortunately, PCI assessments are painful for many, mostly due to loosely-defined standards, misinformed assessors, inconsistencies between assessors (even those who work for the same organization), and lack of preparedness by those being assessed.

To reduce the pain of PCI assessments, prepare early, assess throughout the year, and implement automation and documentation. To reduce daily problems during the assessment, be up front and clear with your assessor about expectations, and timelines.

When the assessor inevitably states that they are "bound by the PCI Council" -- which seems to be their favorite excuse --remind them that they work for you. An assessor's job is to evaluate, provide guidance, and find accurate ways to show that your organization meets PCI's intent. The PCI Council represents the best interests of the credit card brands -- your assessor should represent your organization's best interest.

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.