Remediation- It’s one of the toughest areas of the PCI compliance journey and something that just about every organization struggles with. To add more pressure, Visa recently confirmed its tough stance on organizations that don’t yet have a proper remediation plan, enforcing steep fines commencing January 1, 2015.
In an effort to provide more useful guidance for those caught between a PCI rock and a remediation hard place, this 3-part series will offer some simple strategies on how to re-think your entire remediation process and achieve PCI compliance in a realistic timeframe.
Part 1- Form a partnership with your QSA
Your QSA is not your enemy
We touched on this point briefly in a previous blog post titled “It Won’t Be Your QSA Who Gets Thrown Under the Data Breach Bus”, but it’s so important that we want to expand on this simple concept: Qualified Security Assessors (QSAs) are an invaluable comrade in your journey to PCI compliance, and it’s imperative you work in perfect tandem with them. They don’t want you to get breached and so their job is to be as thorough as possible in helping you to assess security risks that might lead to a data breach.
If you put up the walls as soon as the QSA arrives onsite – you’re wasting both your time and their time – which you’re ultimately paying for! It’s also a horrible place to build a relationship of trust from.
- Don’t muscle your QSA into signing off something that isn’t secure.
You can’t remediate something by forcing your QSA to turn a blind eye, yet many companies seem to establish estranged relationships with their Qualified Security Assessor (QSA) in an effort to invest the bare minimum towards remediation. Just about all QSAs have seen clients attempt this approach at some point, and it’s a mindset that dooms a company’s compliance efforts to fail right out the gate. This common story often leads to companies attempting to muscle their QSA into a signoff of things that are simply not secure, and if the QSA rightfully refuses then they will simply move on to find a QSA who will sign it off without scrutiny.
- It’s okay, to be honest – In fact, your QSA will respect you for it!
By opening up to your QSA and fully disclosing all issues are and leveraging their knowledge and experience, you’re going to end up saving a significant amount of time and money. QSAs must be allowed to give you open and honest feedback on which parts of your plan are best practices and which parts you should reconsider.
Both of you will be able to sleep a lot better at night knowing exactly what the real issues are.
- An easy-going QSA isn’t doing you any favors.
Picking a QSA is like picking a Nanny for your children: you want someone strict yet fair, who is able to feel personally invested in the child’s upbringing. You want someone with moral integrity who you can trust long-term. The last person you want is someone who will send the kids off to bed at 7 pm and just spend the rest of the evening watching TV.
In all seriousness though, your QSA should be the perfect blend of experience, technical knowledge, and character. QSAs wants you to be breach-free as much as you do- it’s bad for business if word gets out that their client got breached. Every system contains a security risk, so don’t be afraid to admit to weaknesses your own systems might have; it’s perfectly normal for a young healthy company to undergo changes. There’s nothing you could be hiding that your QSA probably hasn’t seen before, and they will appreciate your honesty and respect you for it.
“My name is John and I’m not as secure as I thought”
The first step in rehab is admitting you need help, and data security is no different. Using ignorance as a basis to achieve compliance will lead to a far worse situation. QSA’s are trained security professionals, so hear them out, and have your guys work with their guys.
- Leverage on your QSA’s experience – they’ve seen it all before.
Ok so you’ve opened up to your QSA, you’ve both discovered things that you weren’t expecting, and now it’s time to fix them. What to do next?
Don’t be afraid – Ask them! You’re not the first organization to uncover security issues you didn’t know about and you certainly won’t be the last. QSA’s have seen it all and they’ve also seen how other organizations went about resolving similar issues. They can use this knowledge to help you understand what works and more to the point, what doesn’t work.
For an added layer of assurance, some organizations contract with separate QSA firms – one to undertake the remediation work, and the other to provide the assessment services to validate compliance with the PCI DSS. However, it’s important to note that there is no specific requirement around this. A good QSA will warn you of any potential conflicts of interest they can see and talk this through with you in an open and honest manner.
You should also ensure your QSA isn’t stating that you MUST use a particular solution to solve a problem. Be wary of QSA’s who offer in-house solutions they’ve built as a way to remediate issues. Chances are they’re probably not best-of-breed when compared with independent specialist vendors and are primarily sold by leveraging your existing client relationship.
In summary – Treat the annual event of a QSA visit as an opportunity to further improve your security and learn new things, not as a chore you have to get through like a dentist visit. QSAs are a wealth of cybersecurity information, and you should do all you can to pick their brains and learn how you can continually improve your company’s data security posture.