As a company interested or required to become PCI DSS compliant, there are a list of key controls you must have in place and have proper auditing around to provide the PCI DSS auditors with during the testing period. Being able to easily identify where these controls live and how they are managed within your organization is primal. This article will give you a comprehensive overview of controls you need to get a jump start on the PCI DSS certification.
A big focal point of the validation will be around how you manage your company's workstations. This will include being able to properly identify who is assigned to what machine. Being able to show that each machine has antivirus installed and being able to provide the update history will be another big factor in the initial audit period. The security policies around your workstations will be audited as well for things like password timeout enforcement, password complexity and password expiry/reset just to name a few. Having a solid set of policies and standards around your network controls will be vital to your success. Being able to show where your cardholder data is stored, how it is stored, how it is encrypted, how is it accessed and any compensating controls around those will play a huge factor in proving your security stance portion. Not only will they need to see actual documentation of these policies, but physically/digitally showing them the control will be a step you will need take as well.
The PCI DSS auditors (QSAs) will need to see the in’s and outs of your servers as well. This will include supporting documentation around how you are protecting any sensitive client communications. Documentation like an encryption policy, server hardening standard and sensitive data transfer procedures are only several documents needed in this effort. Below is a quick hit list of some important assets and sectors that will need to be covered by a policy/standard.
- Firewalls/load balancers
- How backups are performed
- Physical security assets (cameras)
- Cloud environments
- Wireless networking
- Storage devices
- Access management
Lastly, having an effective way to test and audit these controls/policies will be key to remaining compliant in the future. PCI DSS compliance requires an annual validation. At the end of the day, being able to focus on these key controls and ensuring they are automatically implemented and reviewed regularly by the proper management. It may be a rough routine at first, but after the first year of validation you will not only get the hang of it but also improve your overall security posture.