Five things to do before your first PCI DSS compliance audit

Preparing for a PCI DSS compliance audit doesn't have to be complicated if you take five simple key measures before the assessment is required. This technical tip is written from the approach that your organization has never undergone a PCI DSS audit.

    Requires Free Membership to View

Managing an audit requires the cooperation of others inside and outside the IT department. Reference your company's org-chart and determine staff that will provide evidentiary data. Once identified, notify their upstream manager to set expectations. You will likely require the support of one of the two following non-IT departments: legal and physical security. Legal must be engaged because they will set the direction for current policies and any new policies that may be required to support PCI DSS compliance. Legal can direct you toward streamlining your policies. Physical security should be engaged to support providing physical evidentiary data.

The PCI Security Standards Council has provided a self-assessment tool free of charge; PCI DSS v1.2 should be used. There are five categories of self-assessment you may choose from. Verify which self assessment questionnaire (SAQ) is appropriate for your organization. Complexity of compliance can be reduced by selecting a SAQ that will not impose unnecessary requirements.

Compare policies against the pre-assessment findings. Why? Policies are legal documents that set the floor as to how your organization operates. They will tell the auditor: "This is the legal minimum or maximum we require of our organization." You may find after reviewing your policies that you've set the ceiling on policies that really only require the floor. For instance, PCI DSS Requirement 1 references firewall configuration. If you have a firewall policy that states your organization must use application layer firewalls only, you will have set the ceiling and eliminated routers and any other technology that can examine all network traffic and block transmissions as a firewall. The requirement sets the expectation that routers are considered firewalls based on ACLs. It is better to identify such policy issues before the audit as they can be easily corrected prior to the audit.

Setting the floor is declaring where your baselines begin. You want to set the floor as to information artifacts (policies, standards and procedures that support an audit and compliance), identities and document management for starters. Information artifacts are the documents your organization executes its operations against. The authoritative identity source for your organization should be set as it can mitigate against rogue accounts or help identify the lack of naming standards. Finally, communicate, require and enforce where electronic content is stored based on content. This can help reduce the scope of a PCI DSS audit.

Using a taxonomy-based approach, information artifacts are aggregated under a classification system rather than an individualistic approach. The result is fewer artifacts to maintain and consume. I use the approach below:

  • Does the artifact cover a particular segment only? If yes then it = P(oint).
  • Does the artifact cover a whole which consists of disparate points? If yes then it = E(nterprise).
  • Does the artifact need to cover P and E? If yes then it = H(ybrid).

For example, an acceptable use policy is an artifact written as a hybrid to address the enterprise and point segments it covers. Set the floor by writing basic policies you'd expect. Next, add policies related to technology your organization has currently invested in, and finally, write exceptions to address future technologies they are considering but have yet to implement. That is how you make information artifacts extensible and you have only the artifacts required by the organization. Finally, updates are rare, which means lower cost of ownership. Regarding the firewall policy, approach it as a classification and it becomes firewalling. You may now set the floor on what that means for your organization from a functionality perspective, which allows for extensibility of firewall types and can include routers.

(The information in this article is agnostic and may be applied to any compliance requirement you may face.)

Ravila Helen White is currently an enterprise security architect on assignment at an invention company in Seattle. Prior to that, she was the head of information security at The Bill & Melinda Gates Foundation and drugstore.com.

Send comments on this technical tip to editor@searchmidmarketsecurity.com

Join our IT Knowledge Exchange discussion forum; please use the midmarket security tag.

This was first published in November 2009

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.