Confidentiality and control of network diagram
The PCI DSS standard says you must have “1.1.2 Current network diagram with all connections to cardholder data, including any wireless networks”. This diagram will be updated as improvements to the infrastructure are made.
You might have the best, most beautiful network diagram, colour coded and including important data flows. It may be on the best quality piece of paper, do make sure you are looking at the right diagrams. Remember it is vital that this diagram and other supporting documentation is version controlled. It doesn’t need to be ostentatious, a simple date and version number of the document will do. Include the version number in the footer along the lines of:
Date of publication: 1/8/2011
Version number: 1.0
Although this could seem a painful process, it really will help you and your colleagues later on when you have to refer to it. Or you auditor asks for a copy and you are not sure which one to offer.
Remember to consider the confidentiality of your network diagram too, consider where it is saved, printed and stored soft copy. Ensure that only those who need access to the document are provided with it.
Passwords – Team member awareness
With the best password administration, processes, systems, tools and IT department diligence, passwords could easily be shared and breached by team members. Ask yourself these questions:
- How many of your team write their passwords down?
- Are passwords saved “securely” written on post it notes under keyboards?
- Has anybody written the password in their note book?
- Would a member of your team reveal a password if asked? I once saw an auditor request somebody to “write your password down backwards for me, don’t worry I’m an auditor, it is allowed”. What a trick! Luckily the colleague didn’t oblige and we all sighed.
You might well distribute your policies (12.5.1 Establish, document, and distribute security policies and procedures.) , it is a good idea to ensure that your team read these and understand the importance. Perhaps a quick quiz of rules is an idea to check understanding
PCI DSS compliance for small online businesses – the easy way
Every company that takes credit card payments needs to be PCI compliant. This can be difficult for small businesses as the cost and complexity in obtaining PCI compliance can be overwhelming.
If you’re an online business then the easiest way to be compliant is to outsource the payment processing.
Whether you have your own online shopping cart or not, as long as you hand off to a payment processor at the point of collecting and processing the credit card details, then compliance is very straight forward.
There are many different payment processing solutions, one in the UK being – WorldPay – Business Gateway
If you do use a payment processor to process the payment from beginning to end this does not mean that shouldn’t complete the forms for PCI compliance, but all of the sections relating to storing and processing card numbers can be marked as ‘out of scope’
Choosing a QSA – for PCI DSS
If you store, process, or transmit credit card data you need to be PCI DSS compliant. It is all about reducing credit card fraud. look at the PCI Security Standards website for more information.
If you need an on site assessment for your PCI compliance, you will need the services of a Qualified Security Assessor (QSA) are needed, there then comes the task of selecting to work with. When looking for an internal auditor It is a good idea to contact a few organisations, and discuss your requirements with them, here are a few things to consider:
- Take references – call people who they have worked for previously. What are their thoughts, good and bad. What services did they supply, would they work together again? Get an idea about their reputation and competency. You are looking for somebody who will give sound advice and guidance. You are perhaps looking for somebody who will give more input into your business than just you pass / fail, more advice and improvements suggestions.
Speaking with others who have to be PCI compliant gives you a great opportunity to network with another implementer. It may not hurt to ask whether you can meet and share experiences, it is a great way to share best practice.
- Price – Compare the prices, make sure you speak to a few. The lowest price may not be what you need, look at what they are offering and others’ experience.
- I think it is healthy to be suspicious of a suppliers who are also very keen to sell you their products as well as their advice, you don’t want unnecessary purchases. In my opinion you are perhaps looking for impartial advice and support.
- Location – consider a QSA who isn’t too far away from you. You may then get greater face to face time and flexibility working together
- Check their status with Companies House, it may tell you something about their financial status.
- Make sure you pick an approved QSA, look at the PCI Security Council website for the current list. PCI DSS Website A QSA has to supply adequate insurance and evidence of PCI related work to retain their status. Your auditor will provide evidence of their audits later to the council as proof of your controls and their professionalism.
Section 12.8.3 says “Ensure there is an established process for engaging service providers including proper due diligence prior to engagement” – so you’re going to need a process later. Why not make this process extend to the recruitment and management of all suppliers, not just PCI Service Providers.
Expect to work closely and honestly with this person and organisation as you implement, make sure you get along with your QSA they are part of your team.
Security Training – getting a balance right
It is hard to get the balance right in team training between the requirments of:
12.6 Implement a security awareness program to make all employees aware of the importance of cardholder data
AND
The training program becoming an awareness of the value of the asset and ways to intercept the cardholder data.
I was watching Fake Britain on BBC receently. Dominic Littlewood was describing how important credit card data was. The show then went on to describe in detail about what to do if you could get your hands on card details and the value if you fancied a criminal career, it was almost a “how to”. The programme made me think about how we train colleagues about the importance and value of card data.
Some team members don’t realise the value of the card data or why they have restrictions on their behaviours around it. I am not sure if this is a positive or negative. The ignorance means that they are unlikely to indulge in theft, but also means that they are unlikely realise any colleagues who may be taking advantage and use a Whistle Blowing policy.
Solutions:
Talk about person identity theft and what it means to you, balance this with what information is in the business, why you protect it, how, what procedures you use and try not to shout about the opportunity. I also realise that a QSA would be looking training to make reference to credit card data, card numbers and what they are, this almost puts neon lights round the valuable asset.
What are your thoughts?