In today's Whiteboard Wednesday, Ethan Goldstein helps answer the questions:
- What is PCI compliance?
- How do I become PCI compliant?
- What should I look for in a vendor?
- What happens if I manage credit card data but not PCI compliant?
If you are managing credit card data, you must be PCI compliant in order to help protect your customer's credit card information. Ethan dives into the topic and tells you why this is mandatory and the steps you should take in order to pass your PCI compliance audit successfully.
Whether you are searching for a PCI approved scanning vendor or simply trying to answer the question, "What is PCI compliance?" Rapid7 can help! After watching the video above, see how Rapid7 can help you become PCI compliant.
Read Video Transcript
Buenas noches muchachos y muchachas. Welcome to another edition of Whiteboard Wednesday. I'm your host Ethan Goldstein, Security Engineer at Rapid7. Today we're going to be talking about PCI compliance and covering some of the basics of what it means to be PCI compliant and what you should look for in a vendor.
First, PCI compliance is a well-known regulation that's aimed at protecting consumer credit card information from theft and disclosure. There are many organizations that need to comply with PCI, including any organization that's going to store, process, or transmit credit card information.
Now the way PCI compliance works in answering the question, what do you need to be compliant, first of all there's a concept called levels. PCI compliance levels 1 through 4 generally apply differently to the different cardholder brands, like American Express, Discover, Visa, and MasterCard.
But generally speaking, these levels are dictated by the number of credit card transactions that you process per year. Now for a Level 1 compliance and really all levels of compliance there are different modules that you need to meet.
For example, Level 1 compliance, there are over 12 distinct modules that need to be met for PCI compliance, which include, but are not limited to, things like segmenting your network, your PCI cardholder data from the rest of your environment, things like running quarterly or annual vulnerability scans, and restricting user access to said information and applications.
These are just to name a few, and again there are 12 modules. Within those 12 modules, there are over 220 specific individual items that need to be met. So there's a lot of different things that an organization needs to do to be compliant for the first time and to maintain compliance over time.
A couple things you really need to know about how to become PCI compliant is first of all, that in addition to your internal staff and other members of your organization that may need to be certified for things like the ability to audit for PCI and test different areas of your network, you also need to hire two distinct organizations to help you meet compliance, the first of which is called a QSA or qualified security assessor. This is an organization that's been certified to really help you understand what you need to do to meet compliance. So they're kind of the keys to the kingdom for you.
They're going to dictate what modules you need to meet, how stringent you need to actually be to meet them, and they're going to audit and assess that over time. This is a really important organization that you need to hire, and usually it applies to Level 1 and Level 2 merchants only.
Another organization you need to hire is called an ASV or approved scanning vendor. This is an organization that is certified by the PCI Council through stringent testing of their own to scan your perimeter or any cardholder assets. These are any assets that are facing the Internet that either store, process, or transmit credit card information. What you need to do is you need to actually have this organization run a quarterly scan or an annual scan, depending on what organization you are.
You have to have four passing scans per year. Many organizations will allow you to run more scans over time to do things like understand remediation and correct any issues that you may have, but it's really important that you do have four passing scans within the year.
There's a few questions that people ask me quite a bit, one of which is:What should I look for in a vendor? First of which is vendor interaction. One of the most challenging things that organizations that are trying to meet PCI compliance deal with is not really meeting compliance the first time, which of course is a challenge, but really the bigger challenge is how do I maintain compliance over time? It can be really challenging to maintain as your organization changes, as network changes and business needs change as well as hopefully grow.
So really having an organization that's going to be there for you and has the staff on hand to be able to interact with you and answer questions and help you solve problems is really, really important. So look for this in a vendor rather than someone who's just going to maybe run a scan or help you meet compliance once and then come in annually to just audit you.
Next is expertise. This also is really important. An example of expertise is the PCI Council has mandated a new program that makes individuals at your organization certified for PCI called QASVs. These are folks that, again, are certified in PCI compliance and understand the regulation. You want to make sure that your ASVs and your QSAs have these folks on staff, people that are certified, people, again, that are on call to be able to interact with you and answer questions and frankly know what they're talking about.
Lastly is trust, specifically in the ASV, QSA relationship. Sometimes there are organizations that will do both for you, and really it's to each his own what you choose to do. Sometimes there can be a conflict of interest there when you have one organization telling you what you need to do to be compliant and then another organization configuring, running your scans, and giving you hopefully passing scores. So make sure there's no conflict of interest there and really hire the best vendors for you to be able to meet compliance.
Keep in mind that for vulnerabilities they are measured by CVSS scores. So any vulnerabilities above a 4 on the CVSS scale, and it runs from 1 to 10, those will fail you for compliance, aside from a few individual issues that you might run into. For example, any of the OWASP top 10 vulnerabilities, those will fail you automatically regardless of score.
Also, things like denial of service work the other way, where any denial of service related vulnerability actually is a passing score. But by and large you want to stay within those guidelines, and you want to make sure you have a vendor that, again, has the expertise, the trust, and the interaction with you to help you meet and maintain compliance over time.
Something to keep in mind about PCI compliance is that the cost of a breach adds up quickly. Usually it's on average $37 per record, and there can be anywhere from thousands to millions of records per incident. These costs add up when you think about the detection of the breach, paying your staff to respond to that breach, remediation costs, and of course fines.
Good luck and we'll see you next time.