As you've read throughout this series, the Payment Card Industry Data Security Standard (PCI DSS) requires a large number of technical, administrative and personnel security controls all designed to enhance the security of sensitive cardholder information. The sixth and final section of the standard contains requirements for an information security policy that tie together the remainder of your compliance efforts. When you read this section of the standard, you'll likely observe that there's more to it than simply writing a policy.
INFORMATION SECURITY POLICY
The cornerstone of this requirement is indeed that you create, maintain and disseminate an information security policy that, at the very least, addresses all of the PCI DSS requirements, includes an annual risk assessment and requires that the policy itself be reviewed at least once a year. When creating this policy, I strongly recommend that you not tackle this as an exercise in PCI DSS compliance alone, but rather as an opportunity to create or rework an information security policy for your entire organization that pays particular attention to the PCI DSS requirements.
In addition to the policy itself, you'll need to create procedures to address some particular areas of concern to PCI DSS:
- Operational procedures for security management
- Policies for the use of critical employee-facing technologies (including remote access, portable media/devices, and wireless technologies)
- Incident response plan
As with many of the other PCI DSS requirements, there's nothing in here that should surprise any experienced security professional. The policy requirements stated in the standard are all security best practices.
This section of the standard also requires that you explicitly define responsibility for information security functions. The policy should state the requirements that apply to all employees and contracts and also designate a chief information security officer (CISO) or other manager with responsibilities for:
- Security policies and procedures
- Monitoring, analysis, and distribution of security alerts
- Security incident response and escalation procedures
- Administration of user account changes
- Monitoring and controlling access to data
If there isn't a single individual in your organization who can logically cover all of these responsibilities, that's fine. The key here is that you must explicitly define who is responsible for each function, either by name or by title.
PCI DSS also requires that you have a formally defined security awareness program that educates employees on their security responsibilities. The program must include components that educate employees when they are hired and provides refresher training on at least an annual basis. Employees must also acknowledge (electronically or in writing) that they have read and understand the security policy.
Prior to making an employment offer, you must conduct a background check on any individual who will have access to more than one card number at a time. Examples of the types of checks you may wish to perform include employment history, criminal checks, credit reports and reference verification.
If your organization shares cardholder information with any service providers, you must also ensure that you fulfill the following requirements:
- Maintain a list of such service providers
- Sign written agreements with each service provider in which they acknowledge they are responsible for the cardholder data in their possession
- Perform proper due diligence before entering into an agreement with any service provider
- Monitor the compliance status of service providers
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a contributor to SearchMidmarketSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the "CISSP Prep Guide" and "Information Security Illuminated."
Send comments on this technical tip firstname.lastname@example.org.
This was first published in October 2009