FAQ – Important Security Questions and Answers
How do I select the best QSAC (PCI Auditors) for my PCI Audit?
Experts agree that the PCI Data Security Standards are a great starting point for the security of an organization. You should consider PCI compliance a good opportunity to obtain a base level of security. If you approach PCI with this in mind you will want to look for a company with assessors will be able to provide value and advice to your company as they go through the assessment process.
You will be working closely with your assessor so it is a good idea to speak with them before hand to verify that they are someone you will be able to work with. It is also a good practice to take a look at your potential assessors resume to evaluate their qualifications.
What are the most common reasons a company fails its Audit?
Previously non-compliant organizations that attempt an assessment without a gap analysis or remediation will almost always fail. To assure the success of your audit you need to take the steps necessary to become compliant before the actual assessment. Similarly, if your organization was previous compliant but underwent any network changes over the previous 12 months you should conduct a new gap analysis before attempting an assessment.
In sample of 112 VeriSign assessments, 30 ultimately passed and 82 did not. The most common reason for failure was a lack of protection of stored data (PCI-DSS requirement 3). Other common reasons for failure are lack of regular testing of security systems and processes and lack of tracking and monitoring of all access to network resources and cardholder data (PCI-DSS requirements 11 and 10, respectively). PCI compliance may be time consuming to achieve but the requirements are straight forward and effective. Organizations who take a “security first, compliance as a result” approach to PCI should have little trouble maintaining compliance.
What does a PCI Security Assessment (Audit) entail?
The purpose of the audit is to verify how well a company complies with the PCI Data Security Standards. To make an accurate assessment, the auditor will review documentation of company policy, observe system settings and configuration files, interview managers and employees, review logs, and perform other actions needed to verify compliance. The documentation review may be started before the auditor is actually on site to reduce cost and speed the process of the audit. After the on-site audit is concluded, the proper paperwork is produced to certify the company compliant.
What is PCI Compliance?
PCI stands for Payment Card Industry. The PCI Security Standards Council is the organization that the major credit card companies – American Express, JCB, Discover, MasterCard, and Visa – organized to create standards and regulations for the protection of consumers’ data. The standards that the council devised are the PCI Data Security Standards (PCI-DSS). These standards and their associated regulations took effect on June 30, 2005. Every merchant, issuing and acquiring bank, and service provider must comply with these regulations or they will be penalized by the card brands.
PCI compliance refers to whether or not the current state of a company meets the PCI Data Security Standards. All companies that handle card data are responsible for continuously meeting 100% of these standards. Certain companies, including large merchants, issuing and acquiring banks, and service providers must have their compliance verified at a point in time during an annual on-site assessment by a qualified security assessor (QSA). Other companies must vouch for their own compliance via a self assessment questionnaire (SAQ).
For more general information on PCI, please refer to our PCI services page. Feel free to contact us for an assessment quote or with any other questions.
Do I need to be PA-DSS Compliant?
Payment Application Data Security Standard (PA-DSS) is a set of requirements that are intended to help software vendors develop secure payment applications that support PCI DSS compliance. PA-DSS applies to third-party applications that store, process or transmit payment cardholder data as part of an authorization or settlement. Software applications developed by merchants for in-house use only are exempt from PA-DSS but must comply with PCI DSS.
To achieve PA-DSS compliance, a software provider must have its application audited by a PA-DSS Qualified Security Assessor. PA-DSS requirements include:
- Do not retain full magnetic stripe, card validation code or value, or PIN block data.
- Provide secure password features.
- Protect stored cardholder data.
- Log application activity.
- Develop secure applications.
- Protect wireless transmissions.
- Test applications to address vulnerabilities.
- Facilitate secure network implementation.
- Do not store cardholder data on a server connected to the Internet.
- Facilitate secure remote software updates.
- Facilitate secure remote access to applications.
- Encrypt sensitive traffic over public networks.
- Encrypt all non-console administrative access.
- Maintain instructional documentation and training programs for customers, resellers and integrators.
What is remediation and how is it done?
Remediation is the process of correcting the vulnerabilities in your network. This is usually preceded by an analysis of the current state of your network to determine vulnerabilities and appropriate fixes. During remediation our consultants can correct the problems themselves or they can guide your employees through the process.
If you have never been PCI compliant before, the most cost effective approach is to conduct an analysis of your current security level (usually called a gap analysis), then perform remediation before receiving your on-site assessment or filling out your questionnaire. If the same company performs your remediation and assessment it will save your organization time and money.
What is the shortest path to get my company secure?
If you don’t know if your company is secure or have never received an external audit, odds are you aren’t secure. The best first step is to receive a gap analysis by one of our highly qualified consultants. They will be able to report on the current status of your network and identify the vulnerabilities your company has. They will also help you formulate a plan for becoming secure. We can perform the remediation for you or guide your employees through the process. Our consultants have extensive experience managing large remediation projects and will make the process as painless for you as possible.
What PCI requirements apply to me?
In short, if you touch cardholder data at any point you are required to comply with PCI, are responsible for meeting all of the PCI-DSS requirements. The method for proving your compliance may differ depending on the type of company you are. If you are a merchant your responsibilities concerning PCI should be communicated to you by your acquiring bank and by the card brands if you are a bank. Remember, the method of proving compliance is determined by the card brands and not by the PCI Council.
Below you will find links to the card brand sites where you can learn the specific requirements that apply to your organization:
- American Express
- Service Providers
- Service Providers
What is SRED?
SRED stands for secure reading and exchange of data. The SRED module ensures that cardholder account data is protected at the point of acceptance, which will assist in meeting the required security considerations of the wider point-to-point security process. SRED is not in itself an answer to how to deploy point-to-point encryption, but is an important first step covering encryption at the point of entry.
The SRED module gives vendors a clear set of security criteria to build and test against, and enables them to provide support for point-to- point encryption. It also provides merchants with a reference listing of products tested against SRED criteria.
What is P2PE?
A point-to-point encryption (P2PE) solution is provided by a third party solution provider, and is a combination of secure devices, applications and processes that encrypt data from the point of interaction (for example, at the point of swipe or dip) until the data reaches the solution provider’s secure decryption environment.
A PCI P2PE solution must include all of the following:
- Secure encryption of payment card data at the point-of-interaction (POI)
- P2PE-validated application(s) at the point-of-interaction
- Secure management of encryption and decryption devices
- Management of the decryption environment and all decrypted account data
- Use of secure encryption methodologies and cryptographic key operations, including key generation, distribution, loading/injection, administration and usage.
What is PCI PED?
PCI PED Security Requirements are primarily concerned with device characteristics impacting the security of the PIN Entry Device used by the cardholder during a financial transaction. The requirements also include device management up to the point of initial key loading, but the evaluation process only addresses device characteristics.
Device characteristics are those attributes of the PED that define its physical and its logical (functional) characteristics. The physical security characteristics of the device are those attributes that deter a physical attack on the device; for example, the penetration of the device to determine its key(s) or to plant a PIN-disclosing “bug” within it. Logical security characteristics include those functional capabilities that preclude, for example, allowing the device to output a clear-text PIN-encryption key.
Device management considers how the PED is produced, controlled, transported, stored, and used throughout its lifecycle. If the device is not properly managed, unauthorized modifications might be made to its physical or logical security characteristics.
What is PABP?
The Payment Card Industry Security Standards Council maintains PA-DSS, which it published in 2008 as a replacement to Visa’s Payment Application Best Practices (PABP). PABP was Visa’s attempt to guide software vendors in creating secure applications. However, it lacked widespread adoption.