using your qsa as a resource year round
TRANSCRIPT
© 2016 SecurityMetrics
USING YOUR QSA AS A
RESOURCE YEAR
ROUND
Winn Oakey, QSA
ABOUT SECURITYMETRICS
• Helping organizations
comply with mandates,
avoid security breaches,
and recover from data theft
since 2000
AGENDA
• Achieving compliance
with your QSA
• Time saving tips for your
next audit
• Best practices to prepare
for your audit
• One year audit plan
ACHIEVING COMPLIANCE
WHAT HINDERS PCI?
• Often, management/executives
don’t see the necessity of PCI
compliance:
– Budget issues
– Company culture
– Company procedures
If you’re breached, it could be
a company-ending risk.
PCI IS A TOP-DOWN SYSTEM
• Executives need to know:
– What’s required
– What changes need to happen
– Why (e.g., financial reasons,
penalties)
Any time your environment
changes, tell your QSA.
CHANGING ENVIRONMENTS
• Whenever bringing on new
systems, ask how it changes
your:
– PCI Scope
– PCI environment
– Process of documentation
– Employee training
UNDERSTANDING YOUR SCOPE
• Has your environment changed?
• New PCI rules?
• What impact new rules have on compliance?
– E.g., PCI DSS 3.2
– SSL and TLS
The biggest problem is when
organizations think they’re
PCI compliant, but aren’t.
HOW A QSA HELPS
• Their goal is to help you reach compliance
• Knowledge of common issues and how they
are being handled
• Understand PCI requirements
• Offer best practices
WORKING WITH YOUR QSA
• Create an ongoing relationship
throughout the year
• Keep documentation up-to-date
• Send documents to QSA
– Especially when changes occur
COMMON QUESTIONS TO ASK
• New Requirements
– What are the new changes?
– What should I do?
– When do I have to implement?
– How does it affect my environment?
SAVING TIME
It’s not about finding time. It’s
about maximizing the little
time you have.
NEW TO PCI?
• PCI can be a beast
– Break into manageable
pieces (i.e., 2-3 things
per month)
– Make a process for the
future
• Ask your QSA about a
Gap Analysis
ALREADY PCI COMPLIANT?
• Keep documentation
• Finish requirements on timelines
• Ask QSA about new PCI requirements
• Proper scoping
PLACE SOMEONE IN CHARGE
• At least one individual responsible for PCI
requirements
• Give them power to act and implement changes
• Monthly, if not weekly meetings with executives
The PCI declaration occurs
once a year, but PCI needs to
be a continual process.
SCHEDULED TIMELINES
• Many PCI requirements are on
scheduled timelines.
Remember to have them:
– Completed
– Documented
– Ready to demonstrate
UNDERSTAND YOUR ENVIRONMENT
• L1 or L4 merchant?
• Ecommerce vs. in-person?
• Which SAQ do you need to fill out?
• How your data flows through your environment?
It’s better to validate your
compliance and security than
to discover problems.
TRANSPARENCY
• Send all necessary PCI
documents to your QSA
• Be completely open with
your QSA
– Don’t hide weaknesses; no
one gains anything
– Ultimately speeds auditing
process
PREPARING FOR YOUR AUDIT
PRE-ONSITE AUDIT
• Prior to your onsite audit, you should review:
– Your systems
– Evidence of compliance
– Your business model
– PCI questions
• Ask QSA questions
You should talk with your QSA
at least quarterly, if not more.
QUESTIONS TO ASK
• What changes are you seeing?
• How do secure organizations
address those changes?
• What are some other best
practices?
ONE YEAR BEFORE YOUR AUDIT
• Look at requirements that need to be done in a
timely manner (e.g., monthly, quarterly, 90 days,
etc.)
– What are those requirements
– Where you stand
– Who’s responsible
– How they capture these results
– Reporting plans
ONE YEAR BEFORE (CONT.)
• What changes are happening
with PCI requirements (e.g.,
EMV, new technology)
– What do you need to do
– How do you plan to meet
timelines
6 MONTHS BEFORE
• Start your own internal audit
– Look for card data in the “wild”
• Review logs and processes
• Work more closely with your QSA
– Pass on information and documentation
6 MONTHS BEFORE (CONT.)
• Prepare to fix your system
• If a tool is needed or process
changed, these changes may
take a quarter for approval,
purchase, and implementation.
3 MONTHS BEFORE
• Have we covered the following areas:
– Our understanding of PCI
– Review compliance
• Implement changes
• If possible, do another internal audit
ONE MONTH BEFORE
• Work with key individuals
– Know who should be interviewed
– Discover what’s required of them
– Put together needed documentation
– Make assignments
• E.g., gather logs, review processes
ONE MONTH BEFORE (CONT.)
• Review your systems
• Check-in with your QSA
TAKEAWAYS
DON’T FORGET TO . . .
• Understand what
requirements you have to
follow
• Schedule and do all
requirements on time
• Take time to understand
PCI requirements
DON’T FORGET TO (CONT.) . . .
• Tell your QSA when your
environment changes
• Send all necessary
documents to your QSA
• Talk with your QSA at least
quarterly
It’s important to be compliant,
but it’s vital for your
organization to be secure.
www.securitymetrics.com
QUESTIONS?