Payment Card Assessments

Managing a PCI Compliance assessment can be stressful, costly, and time consuming.

Here’s what planning for a PCI Compliance assessment looked like BEFORE we automated most of the workflow with PCI Compliance 365.

Q4 PCI Compliance Assessment Planning

44 main tasks made up the quarterly planning before we automated.

We distributed this list to over 100 people.

Then we presented it during a 2 day planning session.

• All teams with PCI DSS Compliance responsibilities must review and confirm their in-scope assets.
  • Meeting scheduled for January 22, 20xx
• Business units must confirm their in-scope
  • call centers,
  • payment card data flows,
  • and back-up process flows
• Remediation efforts
  • Purging payment card data from call recordings
  • Complete implementation of new logging tool
  • Remediate all configuration management issues before assessment kicks off
• Required evidence and documentation for the following in-scope technologies:
• SCCM
  • Quarterly access reviews
  • Group policies
• Splunk – Logging
  • Quarterly access review
  • Vendor documentation
  • Standard operating procedure documentation
  • Note: logging evidence is self-service through queries
• vCenter
  • Quarterly access review
• Ping
  • Quarterly access review
• Spectrum
  • Quarterly access review
• Spacewalk
  • Quarterly access review
  • OS build doc
  • Server upgrade confirmation
• Routers, Switches
  • Quarterly access review
  • Start up and run configs
  • Cisco feature list
  • Cisco hardening template
  • 5 minute transmission capture (req 4)
  • Router configs
  • SNMP connections

Wait. There’s More to the Quarterly PCI Compliance Assessment Planning

• iGel
  • Quarterly access review
• Anti-Malware and Host Based Firewall (HBFW)
  • Quarterly access review
  • HBFW standards, rule set, and proof of rule set review
  • Anti-malware installation guide
  • Anti-malware standard operating and deployment guide
  • Complete automation tasks
  • Configuration screen shots showing this technology can’t connect to DataPower devices
• HR
  • Background check evidence
• GCS
  • Annual information security policy acknowledgments for all personnel
• Middleware / Midrange
  • Insecure services document
  • Windows hardenting procedures
• Call recording technology
  • Proof that pause and resume is configured and working
  • Proof of cardholder data purges (see remediation effort)
• Change Management
  • Change management standard operating procedures
• Risk Team
  • Most recent threat report
• Vulnerability team
  • Update all standards

• Big IP
  • Quarterly access review
  • Transmission and encryption evidence
• Wireless
  • Quarterly access review
  • Config documentation
  • Wireless endpoints
• Citrix
  • Quarterly access review
  • Group policy
• VPN
  • Quarterly access review
  • Config screen shots
• Network diagram
  • Update current network diagram
• Firewall
  • Quarterly access review
  • Config settings
  • Update on automation activities
• RSA & AMP
  • Quarterly access review
  • Config settings on proxy server
  • AMP deployment evidence
  • AMP user guide
• Virtual Tape Back Up
  • VTB process document
• DLP
  • Quarterly access review
• CyberArk
  • PSM Quarterly access review
  • Shared account reviews
• Tripwire and Nessus
  • FIM monitoring process document
  • PAN scanning of servers
  • PAN scanning of workstations
  • FIM scanning of servers
  • Quarterly access review for both technologies
  • Quarterly ASV scans and justification package
  • Monthly internal vulnerability scanning
• Physical Security
  • Physical security SOPs for data centers and call centers
• IVR
  • Quarterly access review
• LDAP / Siteminder
  • Quarterly access review
  • TLS 1.2 must be remediated and proof uploaded
• RiskIT
  • Process narrative
  • Monthly patching evidence
• SailPoint
  • Quarterly access review
• SCOM
  • Quarterly access review
  • Group policy
• Log Insight
  • Quarterly access review
• Storage
  • Quarterly access review

Think We’re Done Planning? Not Yet….

• Payment Apps for each business unit
  • Cardholder data flows
  • Firewall reviews/business justifications
  • Cryptography security protocols
  • Secure coding processes
  • Proof of removal of test data and test accounts before production
  • Test credit card numbers and source
  • OWASP annual training
  • Significant changes and code reviews
  • Quarterly access review for data power devices
  • Proof of masked PANs
  • Application vulnerability testing
  • Quarterly access reviews for sFTP dropbox, STEPS, data power, websphere
  • System development life cycle processes
  • Datapower config screen shots
• Security Operations Center
  • Incident response plan
  • Incident responders and their certifications
  • Log monitoring use cases
  • AMP use case
• Tipping Point and IPS
  • IPS topology
• 3rd Party Vendors
  • Update in-scope service provider list
  • Get current AoCs from each vendor
  • Is Service Provider matrix complete and ready for assessment?

Just looking at this list makes me tired.

As the saying goes,

Necessity is the mother of invention

And that list is WHY we created PCI Compliance 365.

Does that PCI Planning list exhaust you?

You want PCI Compliance 365.

Did your in-house expertise just quit?

You need PCI Compliance 365.

Don’t have the budget to effectively manage PCI Compliance?

You NEED PCI Compliance 365.

PCI Compliance 365 takes the guess work out of planning for your PCI Compliance Assessment.

In fact, implementing PCI Compliance 365 may just save your sanity.

Register Today

We’ve got 2 live sessions introducing PCI Compliance 365:

• Thursday, February 12, noon – 1 PM EST
• Wednesday, February 18, 4-5 PM EST

All that planning is fully baked into PCI Compliance 365. No meetings required.