PCI FAQ ControlCase - Managed Compliance PCI SOX GLBA HIPAA FISMA ISO 27002 Security Regulations Software, Services, Certification

PCI FAQ

What should I do to prepare for a PCI audit?

What are some common challenges that companies face in trying to become compliant with PCI?

What is QDSC?

What is difference between CISP and AIS?

Will other Card Agencies accept if our organization is PCI compliant?

How much time does it take for PCI Compliance?

What is the difference between PIN audits and PCI audits?

My servers are in hosted environment. Do I need DSS or PABP or both ?

I am performing scanning from a Authorized Scan Vendor. Am I PCI compliant?

I am BS7799 compliant. Am I straight away compliant with PCI?

What should I do to prepare for a PCI audit?

At a high level, you should seek out the required documentation as mandated by PCI.

You should prepare a Project Plan based on the checklist given to you by a ControlCase Qualified Security Assessor (QSA). You should identify a single contact co-coordinator. Various administrators will co-ordinate with him/her to complete various tasks.

Your Project Plan should consist of all activities and personnel with dates of completion for activities. Throughout the certification process you should expect to be in regular communication with with QSAPs via conference calls and e-mail. Seven steps that will help guide you through the preparation process include the following:

Step 1: Establish two PCI Compliance teams. One team represents management to review the PCI compliance procedures. The other team represents IT who are responsible for implementing the controls necessary for PCI compliance.
Step 2: Go through all the PCI DSS controls one by one.
Step 3: Complete a detailed scoping study to restrict DSS implementation to only the cardholder network environment.
Step 4: Once scoped, the management team starts distributing responsibilities for implementation of individual controls.
Step 5: Conduct a weekly review meeting with both teams. Once a control has been documented, implemented and put into working order, prepare a “controls in place report” that reflects input by the Compliance officer stating the compliance status of the control, whether it is in place or not in place.
Step 6: Once all the controls are in place, invite a QSA team to conduct a pre-certification audit. Any controls identified as being not compliant or partially compliant should be documented as such.
Step 7: Once all control objectives are implemented you should now invite the QSA team for the final certification audit.

What are some common challenges that companies face in trying to become compliant with PCI?

Some common challenges that companies face when attempting to become compliant with PCI include:

No Intrusion Detection System (IDS) in place.
Logging and log management is not in place.
Failure of get Application Security reviews for applications that are used in the processing of credit card transactions.
Giving administrative access to too many users.
Lack of segregation between PCI and non-PCI networks.
Have not properly prepared for the financial and time investment required to become PCI compliant.
Failure to assign the proper number of employees to the PCI team(s) as needed to become and sustain compliance.
Failure to have unique login/passwords for all users.
Ensuring that administrative access is present on all user laptops connecting to PCI network.
No network DMZ in place.

What is QDSC?

In order to perform on-site assessments according to the PCI Security Audit Procedures and have that work product be accepted by the Participating Brands, independent security companies must first be qualified by PCI Security Standards Council as a PCI Qualified Data Security Company - QDSC. The same qualification for Asia Pacific region is called as QSA - Quality Security Assessor.

What is difference between CISP and AIS?

The AIS Program is the Visa management of compliance to PCI for Acquirers, Merchants and Service Providers for most regions (compliance is managed regionally). CISP is Visa USA’s Card Information Security Program; basically equivalent to the AIS Program, but not used in Asia-Pacific.

Will other Card Agencies accept if our organization is PCI compliant?

How much time does it take for PCI Compliance?

If an organization has segregated the PCI and other environment, it will take much lesser time to become PCI compliant. Secondly, organization has to put all controls as per PCI standard 1.1 in place and should be in a position to exhibit the evidence of the same to QSA. Approximately it may take about 3 to 6 months to become PCI compliant.

What is the difference between PIN audits and PCI audits?

PIN pad device which are allowed to accept credit card swipes need to have PIN pad audits. So these audits are for the devices where credit cards are swiped for acceptance of payments. PCI audits are for merchants and service providers which store, process or transmit the credit card transactions.

My servers are in hosted environment. Do I need DSS or PABP or both?

Both. All remote accessing and shared servers should also follow PCI standards.

I am performing scanning through a Authorized Scan Vendor. Am I PCI compliant?

No. PCI has two components: Scans and On-site Audits. Although getting the organization's perimeter network scanned from an Authorized Scan vendor every quarter, is a mandatory requirement but it is only one of the requirements for PCI. Getting the organization's perimeter network scanned by an Approved Scanning Vendor (ASV) will not make the organization compliant.

I am BS7799 compliant. Am I automatically compliant with PCI?

No. BS7799 is primarily a framework standard. It does not give actual audit procedures. PCI is a specific data security standard to protect credit card data, which gives specific Requirements (12 in number) and controls which should be put in place. BS7799 compliance will not lead you to automatically achieve PCI compliance.