PCI Managed Services – A New Approach to PCI Compliance from Stickman

The Payment Card Industry (PCI) Data Security Standard (DSS) is a data security standard that is acknowledged worldwide. It helps organisations develop processes and controls to secure their confidential information, in particular, cardholder data. It lists operational and technical requirements and is applicable to any organisation that stores, processes and transmits cardholder data.

PCI DSS is governed by the PCI Security Standards Council, which was founded by five major card brands: Visa, Master Card, Discover, American Express and JCB. Although for most merchants, compliance to PCI DSS seems complicated and frustrating, it actually saves them a lot of future trouble that may result in case of data breaches. It also give assurance to credit card companies that their client is taking all possible measures to keep their cardholder data secure. However, the real difficulty is not in achieving PCI compliance, but also in managing and maintaining it as an ongoing process.

Merchants, especially small ones, are the most vulnerable to threats of data breaches as they are the least expected to have taken measures to protect payment card data. According to a research by VISA, level 4 merchants are targeted for payment card information more than 80% more times than others. Hence, it is equally important for small as for large merchants to achieve PCI compliance. However, getting an annual certificate doesn’t mean you can shrug off all compliance burden off your shoulders for one year. Rather, compliance is a continuous process of assessment, remediation and reporting.

Stickman – A New Approach to PCI Compliance

At Stickman Consulting, we strive to provide the best possible services to our clients with a team of qualified and experienced professionals. We have a specialised, comprehensive and practical approach towards PCI DSS services. Our experience in this industry has helped us develop a successful approach to help clients achieve and manage PCI DSS compliance.

PCI DSS compliance programs usually end up after conducting a gap analysis for clients and then leaving you to do remediation with little or no practical guidance. We go far beyond this. We know PCI remediation is a strenuous and time-consuming process and so our approach aims to take compliance in our hands from start to end: as a managed service.

Our service provides a one-stop solution to our clients by doing everything for them from scoping and gap analysis to implementation, certification and maintenance. Our structured, proven remediation plan is the key to maintaining ongoing PCI DSS compliance. The following is a roadmap for how we help our clients achieve and maintain PCI compliance as a managed service with the help of our team of experts and professionals.

  1. Determining what type of PCI DSS compliance is required

Your business processes and the transaction volume of your cardholder data indicates what “type” of PCI DSS compliance your organisation needs. PCI SSC provides different kinds of Self-Assessment Questionnaires or SAQs that help with the initial assessment. Depending upon the level of your organisation, our team will help you self-assess or provide you with a Qualified Security Assessor (QSA) to do an onsite Level 1 assessment.

  1. Determining the scope of your cardholder data environment

After the identification of a required and suitable SAQ or onsite Level 1 assessment, we help you conduct a scope of your cardholder data environment (CDE) to arrive at the current or as-is cardholder data flows. This step is crucial given many organisations benefit from reducing the scope in the first instance before a gap analysis is done. If there is potential to reduce the size of cardholder data environment then the Stickman team will review the current or as-is cardholder data flows and consult with the key stakeholders in your organisation to arrive at the future or to-be cardholder data flows and environment. Once the future state is confirmed and approved, the next step is to conduct a gap analysis.

  1. Conducting initial gap analysis

After identifying a required and suitable SAQ or onsite Level 1 assessment, we help you conduct a thorough gap analysis to the future or to-be cardholder data environment that is based upon requirements of the appropriate SAQ or according to the complete PCI DSS standard for Level 1 onsite assessment.

  1. Dividing remediation tasks into various categories

Not everyone is good at everything. Therefore, it is important to categorise remediation tasks and assign them accordingly. For example, gaps in policies and procedures should be remediated by someone who is experienced in technical writing. Similarly, misconfigured servers should be addressed by an expert in operating systems and applications. Similarly, Stickman will assist in identifying remediation tasks for networks, applications and databases, along with the secure deletion of the cardholder data that is not required. The larger the cardholder data environment the more complex will be the remediation tasks. For example, if a bank stores, processes or transmits cardholder data, Stickman will conduct a thorough review of all the elements to make sure the remediation tasks are categorised and done in a smooth manner.

  1. Determining the requirement of any new tools and products

Now that remediation tasks have been categorised, we determine what exactly needs to be done to put the remediation to work. For areas you may not have the time or required technical experts to address, we bring in new tools, products and most importantly, additional manpower. Remediation often revolves around the development of policies and procedures, and technical issues such as hardening, audit trails, logging, and the implementation of monitoring tools like File Integrity Monitoring.

  1. Remediating and Testing

We set a remediation timeframe for ourselves and work to it accordingly. Also, tests are conducted to check that all components in the scope are meeting the standard requirements. Additionally, because compliance is an ongoing process, we provide an annual checklist to the client.

How can we help you with our remediation services?

  • Stickman Consulting provides assistance to its clients for developing and implementing an Information Security Program to achieve and maintain compliance in accordance with PCI DSS. This includes awareness sessions, policies, procedures, vulnerability management and a risk management program.
  • Our security awareness training sessions will address the biggest weakness of organisations in terms of information security – the employees! We provide regular training sessions to employees, managers and other staff to keep them aware about latest security issues and PCI DSS changes.
  • Our vulnerability management service aims to address the issues of identifying vulnerabilities, scanning, patching and risk rating.
  • Our security monitoring services include file integrity monitoring, audit logging, IDS monitoring and A/V monitoring.
  • Our security testing service allows regularly and scheduled testing of the service to ensure compliance. Security tests include penetration testing, vulnerability scanning, web application security testing and wireless security testing.
  • Stickman Consulting’s incident response plan is effective and states procedures for responding to potential or already incurred suspected incidents in accordance with PCI DSS. Our team also trains staff on incident response and tests the incident response plan according to PCI DSS.

Below is a table that illustrates how Stickman Consulting provides PCI Compliance as a managed service to its clients in accordance with the requirements of PCI DSS.

Requirement No.RequirementStickman Consulting’s Remediation Steps
Build and Maintain a Secure Network
1.Install and maintain a firewall configuration to protect cardholder data· Executing, evaluating and optimising custom-built firewall

· Developing and implementing standard documentation

2.Do not use vendor-supplied defaults for system passwords and other· Conducting penetration tests and vulnerability scans

· Developing and managing vulnerability management program

· Developing and implementing standard documentation

Protect Cardholder Data
3.Protect Stored Cardholder Data· Implementing and managing Data Loss Prevention

· Implementing and managing Access Management

· Implementing, managing and testing Business Continuity and Disaster Recovery plans

4.Encrypt transmission of cardholder data across open, public networks· Implementing, evaluating and optimising encryption mechanism

Maintain a Vulnerability Management Program
5.Use and regularly update anti-virus program· Evaluating and implementing anti-virus software

· Implementing and managing Access Management

6.Develop and maintain secure systems and applications· Managing Application Security Program and reviewing code

Implement Strong Access Control Measures
7.Restrict access to cardholder data by business need-to-know· Evaluating organisational security policy and procedures

· Creating user awareness regarding security policy and procedures

· Implementing and managing Access Management

8.Assign a unique ID to each person with computer access· Evaluating and implementing security tools that administer access control
9.Restrict physical access to cardholder data· Conducting information security awareness sessions

· Training and testing against social engineering


Regularly Monitor and Test Networks
10.Track and monitor all access to network resources and cardholder data· Designing and implementing log management, IDS/IPS and File Integrity Monitoring

· Evaluating and implementing Access Management

· Providing assistance with policy and procedure management

11.Regularly test security systems and processes· Conducting regular vulnerability scans and penetration tests

Maintain an Information Security Policy
12.Maintain a policy that addresses Information Security· Developing, implementing, updating information security policy

If you have any further questions or would like to learn more about Stickman Consulting’s new PCI DSS as a managed service, please contact us here.

 

 

Ajay Unni

Ajay Unni is the Founder and Chief Executive Officer of Stickman. Ajay specialises in helping customers manage the growing threat of data breaches and compliance with globally accepted industry standards for data security and compliance. More articles by Ajay Unni

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to Our Insights

This email address has already subscribed!