See here for Managing your PCI Audit & Compliance blog part 1

By now your organization has chosen a Qualified Security Assessor (QSA) who will be performing PCI compliance assessments, but now when do you schedule the on site visit for the QSA? The answer is simple; once the organization is prepared. As discussed prior in Managing Your PCI Audit (Part 1), without appropriate preparation the PCI audit process can rapidly deteriorate.

Now this may seem shocking, but it is not unusual for some very large organizations, and smaller ones too, to not understand or have documented all of the ways in which the company accepts and processes credit card information.  For the purpose of this blog lets assume your company does know and has documented comprehensive credit card information flows throughout the network.  We will detail these requirements in a later blog.

From the large organization and data center to the mid level business, assigning the key participants for the PCI audit is crucial and must occur before scheduling the onsite review with your QSA.   Key stakeholders depending on the size and complexity of the company may include among others:

• Management
• Infrastructure Engineering
• Systems Administration
• Applications Development
• Information Security

Coordinating with the appropriate resources from the participating departments and discussing the upcoming PCI audit is key.  This includes making certain participants are informed of their roles, time requirements and availability requirements.  Once complete, it is time to reach out and schedule the QSA.

Request that your QSA send an itinerary and schedule one-week prior to arrival. This will help set schedules and necessary arrangements for your key personnel.  Depending on your company size and complexity the QSA may be onsite for a week or more.

Once onsite the QSA will want to schedule a meeting to coordinate activities, meet the key participants, layout the schedule, establish management rapport, and answer any questions.   It is important that your key participants are effective communicators and clear on their roles.  As the main point of contact for the organization you should plan on dedicating your time to participate in all QSA meetings and interviews.

I would like to point out that almost all QSA firms (an auditor) also offer PCI consulting (advisor).  This is however a very fine line to have one firm in both the role of advisor and auditor.  It is best to separate these functions obtaining a PCI consultant to advise your company on identifying the necessary actions to achieve compliance and a QSA to measure the organizations compliance.

A typical QSA itinerary might be as follows:

• Project kickoff meeting
• Network Diagram and CDE review
• Credit card flow review
• Key Personnel Interviews
• Supporting documentation review
• Remediation review

Always remember that while the QSA is providing the itinerary you the customer need to maintain control. Participating in all meetings and interviews will eliminate audits going off track and insure that each key participant is focused on their area of responsibility and expertise and maintain the scope as defined in the organizations pre-assessment meetings. I cannot stress enough that preparation, knowledge and management oversight are key to an effective and efficient audit.

In my next blog I will go into details an exactly what needs to be done around Network Diagrams, Credit Card Flow, and Documentation. Until then contact us here to see how we can advise your organization on reaching PCI Compliance.  See you soon!

FACTA added sections to the Federal Fair Credit Reporting Act intended primarily to help consumers fight the growing crime of identity theft.  In adopting FACTA, Congress recognized that consumers were unable to prevent identity theft and could only react long after the event had occurred.  In order to stop the fraud at its source businesses that offer credit need to address the events that signal a potential fraud.

Six agencies were involved in drafting the red flag rules: the Treasury Department’s Office of Thrift Supervision, Office of Comptroller of the Currency, Federal Deposit Insurance Corp., Federal Trade Commission, National Credit Union Administration and the Federal Reserve System. The Red Flags Rule identifies 26 “ Red Flags” which may be indicators of attempted fraud.

According to FTC statistics nearly 10 million people were victims of identity theft in 2008 in the US.   In the broadest sense identity theft is the act of someone assuming the identity of another individual to gain access to the victim’s personal resources.  Last year over 35 million known data records containing sensitive personally identifiable information (PII) were stolen.

While some perpetrators know their victims, having stolen their wallets, credit cards, checkbooks or other personal items, the vast majority of perpetrators do not.  Identity theft comes in many forms and most victims learn their fate long after the initial event occurs, often months to years after the fact.

Most data theft is primarily due to poor controls surrounding PII.  This can range from sensitive records being thrown in dumpsters to electronic records being improperly secured online and breached by hackers.

Personal resources accessed by data thieves may include use of credit cards, establishment of credit under the victims identity, access to utilities, healthcare benefits, banking, employment, loans, government benefits, and many other acts limited only by the imagination of the perpetrator.  The common element is the use of defrauded individuals persona to gain credit or access to established resources.

The Red Flags Rule applies to both financial institutions and creditors.   The definition of “creditor” is broad and includes businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later.  These companies may not traditionally be thought of as extending credit and include utility companies, health care providers, telecommunications companies, cable and satellite providers, and others, depending on how and when they collect payment for their services.

The Rule also defines a “creditor” as one who regularly grants loans, arranges for loans or the extension of credit, or makes credit decisions. Examples include finance companies, mortgage brokers, real estate agents, automobile dealers, and retailers that offer financing or help consumers get financing from others by processing credit applications.  Additionally, the definition includes anyone who regularly participates in the decision to extend, renew, or continue credit, including setting the terms of credit – for example, a third-party debt collector who regularly renegotiates the terms of a debt.

Organizations that are covered under the Red Flags Rule must create written plans that are reviewed and signed off by the organizations board of directors that:

• Create Policies and Procedures that Identify Red Flags Which Pertain to their Business
• Create Policies and Procedures that Detect the Identified Red Flags
• Create Policies and Procedures that define the Actions to be take when Red Flags are Detected
• Monitor changing Red Flags, Train Employees and Monitor 3rd party contractors

An appropriately designed and managed plan depending on the business may require considerable skill and effort.  Most organizations will do well to reach out to experts in designing their programs.  Is your organization subject to the Red Flags Rule?

Information Defense is prepared to assist in evaluating whether your organization is subject to the FTC ruling and assist in defining and developing the necessary steps to reach compliance.  Contact us here for further information.

PCI DSS compliance has now become a household name for security and IT departments worldwide, potentially having significant impact on those organizations that store or process credit cards. According to the PCI Security Standards Council “All merchants, whether small or large, need to be PCI compliant.”

While the security requirements are the same for all covered organizations, the method of proving compliance depends on the number and value of annual credit card transactions. For merchants processing more than 6 million transactions a year, this means an on-site audit by a Qualified Security Assessor (QSA). For more information on PCI DSS please visit https://www.pcisecuritystandards.org.

For many organizations the term “PCI Audit” seems to be shrouded in mystery. Having facilitated many PCI audits for large organizations, I have probably been asked every question imaginable in regards to PCI. What exactly is involved? What is my Cardholder Data Environment? How much information must I provide?

As an adviser I have always tried to impress upon my clients the need to understand and proactively manage the PCI Audit process, and in particular to be prepared for onsite interviews by the QSAs. Many of the staff members that the auditor will be interviewing (e.g. office PC users, call center operators, systems administrators) may view the auditor; either as an adversary, from whom as much information should be withheld as possible, or as a friend, to whom all information should be provided when requested. In fact, neither of these positions is appropriate and both can lead to trouble for the organization being audited.

Proactive PCI Audit management is the cornerstone to a successful audit process. While many businesses simply do not have the time, staff, or trained personnel to prepare for all aspects of a PCI audit, I recommend finding qualified external resources to help the organization down this path. It is important to remember that while most QSAs are reasonable and professional organizations they are not employees and maintain significantly different roles, responsibilities, and organizational insight.

Managing the PCI audit carefully will help reduce time, costs, and operational impacts to the organization. At a minimum audit management will refine the scope and keep answers to audit questions on point. Keys to a successful audit and meaningful results are to appropriately prepare staff, set expectations, and sharpen scope. Expert resources to manage the process can add significant benefit to the organization and potentially reduce the cost of compliance.

The PCI audit process consists of many areas, however we will be focusing on the “on-site Interview” portion. The first step in the onsite interview is preparation. Once you have chosen your QSA find out exactly when the auditor will be on site, what activities the auditor will be conducting, and what documentation they will require. Knowing all of this will help you to understand exactly what level of detail the auditor is looking for, as well as which team members will be asked to take part in onsite interviews. Make sure to schedule the auditor’s on-site presence when there is the minimum impact on your business operations.

PCI audits may become less effective and minimally productive due to a lack of preparation on the client side. Inappropriate preparations may lead to a host of issues including the over exposure of information, withholding or attempts to hide information by well intended but ill advised staff, or as well as inaccurate and or inconsistent answers.   Theses issues among others can cause significant problems and expense down the road for the organization under audit. Preparing each staff member before the onsite meeting is vital to a successful, efficient, and effective audit.

Some examples of staff interview preparation includes understanding exactly what is meant by “Cardholder Data Environment” and what this actually means to the organization. The organization and the auditor must agree on the scope prior to the commencement of the audit. Only information directly related to the CDE should be provided in interviews. Auditors should be expected to provide their interview questions for review beforehand, comply with an interview schedule, and should not interview additional staff members who may confuse the issues or provide inappropriate answers. It is the responsibility of the individual managing the audit process to ensure the interview is on topic, within scope, and with the appropriate staff.

My next blog I will cover actual questions that have been asked as well as the proper way to answer them. I will also dive deeper into the audit process.  Until then please contact us here to learn more about how we can assist your organization to manage the compliance process.

See my next blog post here – Managing Your PCI Audit & Compliance part 2 – preparing for the QSA visit.