PCI Compliance Information from a PCI QSA

PCI DSS Checklist

A PCI Compliance Checklist

Do you have clients that ask about a PCI Compliance Checklist? (or maybe you are looking for one).  Here is basic information a small/medium merchant would need to follow to be compliant:
1st, see my post on reporting levels in the PCI Wiki, chances are you fall in the category that only must submit a self assessment questionnaire (SAQ) to proof compliance.  (Again checkout the PCI Wiki for more info).  Ultimately you should check with your processor/merchant bank to determine how they have calculated your reporting level.  Once that has been determined you can review the appropriate set of PCI controls that apply to you.  But you’re getting ahead of yourself…
You can’t protect systems that you don’t know about so that’s the first place to start.
  • Inventory system that store, process or transmit credit card data and create process flows for all card data.  Document where card data is stored and how it is protected (encrypted, hashes, truncated, etc). Only once this is done can you start your PCI compliance efforts. Also, search your entire network looking for unencrypted credit card data (both track data and PAN data).
  • If  you use a purchased point of sale software (payment application) determine if it is approved as a compliant per the payment application data security standard (PA-DSS).  A list of approved apps can be found here.  If your payment application is on the list, contact your vendor and ask them for the PA-DSS Implementation Guide.  You might have to make it past the sales guy for this one.  Some vendors still make it difficult to get a hold of this and don’t put it on their public website.  This document is NOT the same has the regular implementation guide, its specific to PCI security and every approved payment application has one.
  • Next, determine the scope of your compliance efforts.  You must understand your network and how systems are connected.  PCI scoping is critical.  Most organizations with flat networks must include all systems in scope. (without network segmentation) If you wish to reduce scope a plan must be put in place to limit scope (via firewalls, VLANs, etc).

Once a scope has been defined steps should be taken to protect card data, this is the preferred order to follow:
  1. The first step after identification is to identify and remove sensitive authentication data and limit data retention.  All systems should be reviewed for storage (both old and new) of card data.  If you are storing track data, CVV, or PIN data you should immediately work to remove this data.  If credit card data (PAN Data) is stored it should be done only in encrypted/hashed/truncated format and retained only for as long as truly required.
  2. Protect systems and networks, and be prepared to respond to a system breach. This milestone targets controls for points of access to most compromises, and the processes for responding.
  3. Secure payment card applications. This milestone targets controls for applications, application processes, and application servers. Weaknesses in these areas offer easy prey for compromising systems and obtaining access to cardholder data.
  4. Monitor and control access to your systems. Controls for this milestone allow you to detect the who, what, when, and how concerning who is accessing your network and cardholder data environment.
  5. Protect stored cardholder data. For those organizations that have analyzed their business processes and determined that they must store Primary Account Numbers, Milestone Five targets key protection mechanisms for that stored data.
  6. Finalize remaining compliance efforts, and ensure all controls are in place. The intent of Milestone Six is to complete PCI DSS requirements, and to finalize all remaining related policies, procedures, and processes needed to protect the cardholder data environment.
  7. Finally, after you are sure you have addressed all relevant PCI requirements, submit your report/SAQ to your bank/processor.
Note: Parts of this checklist come from the The Prioritized Approach to Pursue PCI DSS Compliance(off of the PCI Council’s website)
PCI DSS Checklist PCI DSS Checklist Reviewed by Stewart on 10:53:00 AM Rating: 5