One of our clients, WCF, who run mail order brands including James Meade and Country Collection have recently achieved PCI compliance. WCF use Exact Abacus' Customer Relationship Management software and Company Secretary, Jo Ritzema, has kindly provided some hints and tips gained from their 18 month long process.
"Where needed, do engage a QSA that you can connect with, as you will be spending lots of time with them. It also helps if the QSA firm will commit to the same consultant throughout the scoping, gap analysis, consultancy and audit phase so that you avoid covering the same ground multiple times and the consultant grows to understand the culture and nature of your organisation.
Spend as much time as possible at the start of the project trying to segregate the Cardholder Data Environment from the rest of your corporate network and therefore reducing the scope of compliance. A few thousands of hardware spend can save you many thousands in consultants time.
Assign a Project Manager who is not involved directly in IT, your IT Manager will have too much on his plate with technical issues to guide the overall direction of the project.
You will gain more credibility if you adopt some of the main principles of PCI across your entire network, even if outside the scope of the CDE (eg, passwords, change requests, user authorisation requests). Indeed there are some PCI security principles that are useful elsewhere.
Fight against buying too many technical solutions if they are not right for your organisation. Research all makes and models, a cost effective solution is out there somewhere.
Do buy Tripwire and syslog, for reasonably low cost outlay you suddenly get lots of ticks in lots of boxes! Make sure all the IT equipment that you buy is capable of creating and outputting the logs required.
Remove system administrator access privileges from as many users as possible. Clean up menu structures such that users only have access to what they need. Menus are easy to re-add if you have been a little over zealous. And you get to find out what people really use!
Be wary of answering yes if doing a self-assessment without a thorough understanding of the requirements of the standard. A comparison of our gap analysis versus that of the QSA showed some major discrepancies.
A couple of days pre-audit consultancy is useful to take the mystery out of the audit process and enables you to be prepared with “audit evidence” before the audit commences. The audit is draining enough even when you are prepared.
Always refer back to the “intent of the standard” when answering the questions rather than blindly following the words of the questionnaire. Do not be afraid to question the standard with your QSA if you feel that its needs are too onerous for your size of business.
Be wary of using standard policy and document templates. We started with one and ended up changing completely as found it was too general to address what ended up being quite specific requirements.
Cross reference every section of the IT Policies and Procedures to the PCI guidance, it saves hours during the audit when trying to find the relevant section and is a nightmare to do retrospectively once the policy has been written.
Do involve your staff with the project and ensure that it is not seen as an IT project. Briefing sessions with staff helped address their concerns and ensured that they understood the reasons behind what seemed like fairly big changes. We did not even have changing user passwords or a visitors’ book when we first started the project.
Don’t assume that once compliance is obtained you can breathe easy. With log reviews, change requests, user authorisation changes, risk assessments, etc it will be easy to fall short on the second audits if initiatives are not maintained. Ensure that your IT department understand that maintaining compliance is just as important as obtaining it.
Do not assume that your bank can give you any guidance on the detailed requirements of the standard but they can tell you what items have the most priority to them so that you can focus on those items first. Getting clean ASV scans for any websites is a good way to immediately gain some time from the bank whilst you focus on the more onerous requirements of the standard.
Accept that you will need CCTV in some parts of your organisation!"
Thanks go to Jo for taking the time to share her experiences, which we hope will be of benefit to other clients.