VGS has achieved PCI L1 Service Provider certification for the third time! Though most of you reading this blog will go through PCI DSS compliance for merchants, the process is similar enough that sharing a few lessons we have learned along the way should be helpful.
PCI DSS certification is a complex endeavor, whether it’s your first time or whether it has become an annual ritual at your company. However, many important aspects (and challenges) are common to all successful PCI assessments.
Because VGS is a PCI L1 service provider, this post focuses on Level 1 requirements. Still, much of our advice concerns general considerations that apply to any PCI level, including less stringent requirements than for L1.
It Takes a Village
You have probably heard the following phrase: “People, process, technology.” This definitely applies to PCI certification. Why? According to the compliance standard, any assessment process will involve gathering a wide variety of evidentiary data, which will then be presented to assessors.
PCI requirements can be quite strict, and most of the work will fall to technical teams in Engineering, Infrastructure, IT Operations, and Security Operations. Thus, many different groups (and personality types) will assist in compiling evidentiary documentation.
Compliance is the byproduct of good security and engineering practices. If your organization recognizes that fact, gathering the requisite evidence for an audit will be smooth. However, for organizations that have not yet matured their security and engineering practices, we advise you to continue reading!
Schedule your Assessment Early
L1 Merchants and Service Providers should perform on-site assessments every 12 months. However, most Qualified Security Assessors (QSAs) are booked well in advance, so the first thing to do is get out your calendar and start planning. Further, it takes many weeks to author a Report on Compliance, and to guarantee its quality assurance.
Therefore, you should start to communicate with your QSA several months before you would like to begin your assessment. It is a near-certainty that, as you prepare, testing will reveal unforeseen vulnerabilities, flaws, and shortcomings that must be addressed and remediated before your assessment can even begin.
The moral of the story is that, if you want your Attestation of Compliance to be signed on time, there is no substitute for lead-time. Otherwise, in the eyes of Visa and Mastercard, it is easy to fall into non-compliance
Scope your Environment
Scoping is the most crucial part of any assessment. You must ensure that all relevant systems, including supporting systems AND storage systems, are within scope. Use data discovery and data loss prevention (DLP) software to verify that you know the locations of all instances of cardholder data. You must make sure that your network architecture is functioning as intended.
Your QSA must be able to rely on your scoping. Create a network diagram that clearly shows your in-scope and out-of-scope environments. You must have a shareable visual aid to know if you have scoped correctly. If you have over- or under-scoped your assessment you may run into an extended review, or a delay in the delivery of your Report on Compliance.
One of the benefits of accurate scoping is that you can reduce the size of your cardholder data environment (CDE) via proper segmentation, point-to-point encryption (P2PE), tokenization, hashing, and more.
Fix the Root Causes
When it comes to security, no one likes to be surprised. In our world, quick, superficial fixes are forbidden fruit. It is always tempting to close out an assessment prematurely, or to substitute a compensating control for an ideal solution.
Remember that compensating controls, even if they appear to come through in a pinch, are not automatically accepted the following year. Further, a compensating control accepted by one QSA may not be accepted by another. Therefore, you should closely scrutinize each compensating control to decide whether it’s worth keeping, or whether you need to implement the original control as written in the PCI-DSS.
So here is our advice: focus on the root causes of security issues, and take the time to fix them properly. And after your assessment, it is essential to perform a thorough post-mortem to ensure that the same issues do not recur year after year. These approaches will strengthen your security posture today and ensure that you have smoother assessments in the future.
For speed, simplicity, and cost-effectiveness, companies are increasingly leveraging automation, outsourcing, and service-provider oversight, as they endeavor to achieve compliance. However, remember that documentation is required for everything from tasks to change tickets, meeting minutes, and access reviews. Auditors need evidence, and they won’t simply take your word for it.
Let VGS Relieve Your PCI DSS Burden
We’ve obviously been through the PCI process – and not only for ourselves! We’ve helped hundreds of organizations get PCI compliant; FinTechs like Even, Unit, and TransferGo; banks like TCB; merchants like Calii and FiveStars; and neobanks like Stilt.