Cognizant 20-20 Insights

A Framework for PCI DSS 2.0 Compliance Assessment and Remediation

By methodically identifying and remediating IT security gaps, companies can quickly and cost-effectively comply with the Payment Card Industry Data Security Standard.
Executive Summary
The Payment Card Industry Data Security Standard (PCI DSS) 2.01 is an information security standard for any company that handles cardholder information for the major credit card providers. The five global payment brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. incorporate the PCI DSS 2.0 in each of their data security compliance programs. As such, any company that stores, processes or transmits cardholder data is required to comply with these requirements. Each merchant or payment card processor company is required to submit an annual compliance report to its merchant bank. This white paper focuses on three key aspects of PCI DSS 2.0 compliance. First, it provides a brief background on PCI DSS 2.0 and our framework for PCI DSS 2.0 assessment and remediation services. Second, it discusses a set of issues seen by companies seeking PCI DSS 2.0 compliance. Third, it describes how we help address these PCI DSS 2.0 compliance issues. This paper concludes with a case study that shows how we applied our framework in an engagement with a leading North American retailer to quickly and cost-effectively achieve PCI DSS 2.0 compliance.

Our PCI Compliance Approach

PCI security for merchants and payment card processors is the vital result of information security best practices contained in the PCI DSS. The standard includes 12 requirements for any business that stores, processes or transmits cardholder data. These requirements specify the framework for a secure payments environment; for the purposes of PCI compliance, their essence is three steps: assess, remediate and report (see Appendix). Our approach to PCI compliance includes two phases, the assessment phase and the remediation phase.2 Each phase can be executed independently of the other and is then followed by reporting. Assessment Phase In the assessment phase we typically work a 10to 12-week session, where the usual activities include:

Data gathering (typically three weeks). Current state assessment (typically two weeks). Gap assessments (typically three weeks). Future state roadmap (typically two weeks).
The duration of the assessment phase can differ

cognizant 20-20 insights | february 2013

Assessment Phase Planning

Week Number Data Gathering Current State Assessment Gap Assessment Roadmap to Future State
1 2
3 Weeks 2 Weeks 3 Weeks 2 Weeks

9 10 11

Inventory of tools and utilities identified. Current state policies. Gap assessment matrix of PCI controls. Best practices followed (if applicable). Future state roadmap.
Remediation Phase During the remediation phase, our team evaluates the effort based on the gaps and the roadmap delivered during the assessment phase. Implementation duration depends on gaps found during the assessment phase. Typical activities during this phase include:

Figure 1

based on the size of the client infrastructure the number of devices in the cardholder data environment. Figure 1 shows an example for constructing an assessment-phase plan. PCI DSS is based on technical and operational requirements related to 12 different areas; data gathering is performed across six conceptual areas, covering the following:

Network infrastructure. Encryption and data protection. Vulnerability management. Access control. Network monitoring. Security policies management.
Data gathered is then assessed for gaps across each of these six areas. The gaps in the current as is state are then categorized as high, medium and low in each area relative to the goal of achieving PCI DSS 2.0 compliance. The final deliverable includes a roadmap for remediating the discovered gaps in order to achieve future state PCI DSS 2.0 compliance for the cardholder data environment. The deliverables at this phase include, but are not limited to:

Planning (typically, four to six weeks). Designing (eight to 10 weeks). Building (12 to 15 weeks). Verifying (14 to 16 weeks). Deploying (varies). Reassessing for report on compliance
(eight to 10 weeks).

(ROC)

The reassessment (which includes any final remediation as needed) is conducted in conjunction with a (QSA approved) third-party assessor to gain a report of compliance. Figure 2 illustrates a remediation-phase plan. During the planning phase, there are multiple workshops held with a core group of personnel that will include both company resources as well as our consultants.

Overcoming Compliance Issues

There are many PCI DSS 2.0 compliance hurdles for companies that store, process and transmit credit card information in their processing environments. Among these, the most critical issues faced include:

Network inventory. Software inventory. Current state network diagram of the

cardholder data environment.

Incomplete

awareness of the environment, and not understanding what is, and what is not, part of the credit card data environment (i.e., the target environment for compliance).

Remediation Phase Planning

Week Number Plan Design Build Verify Deploy Reassess for ROC
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46
4-6 Weeks

8-10 Weeks 12-15 Weeks 14-16 Weeks Varies 10 Weeks

Figure 2

cognizant 20-20 insights

 Unavailability of skilled personnel required to

both understand and maintain the security of the credit card data environment.

Implementation benefits result in best-in-class,

cost-effective and easy maintainability of PCI DSS compliance. environment-relevant training enables organizations to best fit personnel to function. large pool of experienced consultants across various industry verticals have experience utilizing technology to enable and protect the clients business. managing complex compliance programs.

No experience executing activities required,

either in first time PCI DSS compliance or, once PCI DSS compliant, in maintaining compliance over the next cycle of compliance.

On-the-job, Our

Lack of both awareness of industry best practices and experience with relevant tools available that fit the requirements for the companys environment.
In our experience, we have found that companies end up investing in the wrong tools and wrong areas, and have no strategic direction when architecting solutions, due to a lack of awareness of the target environment or not having the skilled personnel to make key strategic security decisions. These shortcomings leave the target environment vulnerable, which has a direct impact on the business and the companys liabilities.

Program management capabilities for smoothly

PCI DSS 2.0 Compliance Work in Action
We were recently engaged by a leading North American retailer to help remediate its credit card data environment. We delivered the following services:

Program management for the PCI remediation

program.

PCI DSS Compliance Services Benefits

We use a hybrid model of both offshore and on-site consultants to deliver the best value for the money spent on a PCI DSS 2.0 compliance program. We deploy a pool of experienced subject matter experts across various areas of technology and business environments to ensure program success. To execute a PCI compliance program, we provide tools that help all along its entire lifecycle, from planning, to design and build, to testing and through validation. The key benefits of our PCI compliance framework include:

Delivery

of security tools from design and install to operations. clients infrastructure.

Design and architectural expertise across the Remediation

of all findings during the PCI assessment for ROC activities.

The entire engagement was delivered in 11 months using a team of 21 professionals working with the clients 75-plus resources and another 35 vendors. We implemented more than 25 tools and services. Several hurdles were overcome during the remediation program. One key challenge was a late scope change from PCI DSS 1.2 compliance to PCI DSS 2.0 compliance. The program not only addressed gaps implementing 290 PCI controls, but also incorporated the scope change working closely with the client. The program was delivered on time, and with significant cost savings to the client. Figure 3 (next page) shows the extent of work accomplished. Post-remediation, a QSA vendor assessed project performance to create an ROC. Figure 4 (on page 5) illustrates a progress card created each week in pursuit of ROC readiness. Figure 5 (on page 5) shows how a tracker is used to reveal readiness to attain an ROC.

The client gains awareness of its credit card

data environment, and can apply our recommendations and best practices to achieve and keep the environment secure and up-to-date. tional implementation of tools and inter-workings can be applied across multi-organizational design dimensions in ways that are scalable and extensible. its a first-time implementation or a project to maintain PCI compliance, the process is painless, as a result of our precision planning and program management expertise throughout the engagement.

Our structured, efficient and practical opera-

Whether

cognizant 20-20 insights

PCI Remediation System, Device and Process Impacts

Program Accomplishments Tools
Number of Newly Implemented Number of Newly Created Process Flows Number of Applications Touched Number of Client Proprietary Systems Touched Number of Routers Touched 12 Number of Modified Number of Modified Process Flows Number of Servers Touched Number of JBM Machines Touched Number of SwitchesTouched 1 Number of Phased Out Number of Phased Out Process Flows 2 Number of Newly Implemented Number of Project Management Processes Followed Number of POS Devices Touched Number of Jump Boxes Touched 3

Programs
Number of Modified Number of Proj Templates Created & Used  5 Number of Phased Out N/A 2

Processes
30 3 4 8 7

Systems
8 97 Number of 40 Operating Systems & DBs Touched Number of WCSs 850 Touched 9 1 Number of 1,071 Desktops Touched N/A 4 1,418 Number of Laptops Touched N/A 300

PCI 1.2.1 & 2.0 Compliance

Network Devices
1,039 3 Number of Wireless Access Points Touched 89 Number of WLCs Touched 2 Number of Firewalls Touched N/A 6 Number of Content Switches Touched N/A 2

Number of Modems Number of VPN Touched 1,200 Concentrators Touched Number of Policies Created Number of Policies Modified

Number of Devices N/A - NTP Configuration 1,320

Policy, Procedures, Standards

11 2 Number of Procedures Created Number of User Accounts Cleaned Number of RFCs Created Number of Vendor Contracts Modified 21 Number of Procedures Modified Number of New Service Implementations 0 Number of Policies Phased out 1 Number of Standards Created 31

Others
Number of Stores Touched Number of Business Justifications Docs Created Number of Stores MPLS to Broadband Conversion 1,824 Number of Runbooks Created Number of People taken Security Awareness Training Number of New Vendor Contracts Created 10 37,000 Number of Service Imple1 mentations Modifications Number of Numberof Anti-Virus Upgrades Critical Security 300 1,718 Patches Applied devices 7 Number Scope Reduction Work Streams 7 Number Scope Increase Activities 4 Number of VA & PenTest (149, 6) Remediations Performed Number of Stores 1,110 Hardware Encryption N/A

885

282

16

Figure 3

Figure 6 (on page 6) highlights program tracking across the key conceptual areas within our framework, covering each of the 12 requirements defined by PCI DSS. The client was pleased with the results, noting that the engagement used realistic and achievable timelines where milestones, deliverables and resources were continuously fine-tuned to keep key activities on track. In fact, the CIO later told us: We were on schedule and under budget by $500K. It was an amazing achievement for the entire team.

and global payment brands. Carrying out these three steps is an ongoing process for continuous compliance with the PCI DSS requirements. These steps also enable vigilant assurance of payment card data safety. PCI DSS 2.0 Requirements PCI DSS version 2.0 is the global data security standard that any business of any size must follow to accept payment cards, and to store, process and/or transmit cardholder data. It presents common-sense steps that mirror best security practices. Step 1: Assess

Appendix
PCI Background
3

The primary goal of assessment is to identify

Assess is to take an inventory of your IT assets and business processes for payment card processing and analyze them for vulnerabilities that could expose cardholder data. Remediate is the process of fixing those vulnerabilities. Report entails compiling records required by PCI DSS to validate remediation and submit compliance reports to the acquiring bank

all technology and process vulnerabilities that pose risks to the security of cardholder data that is transmitted, processed or stored. Study the PCI DSS for detailed requirements. It describes IT infrastructure and processes that access the payment account infrastructure. Determine how cardholder data flows from beginning to end of the transaction process,

cognizant 20-20 insights

PCI Controls: Weekly Progress

300 250 200 150 100 50 0 45 29 18 3/27 154 109 60 58 19 4/13 85 73 68 20 4/20 130 105 InPlace Assessments N/A In-progress 172 145 180 205 212 229 247

Number of PCI Controls

100 75 49 22 4/26

74 39 16 5/2 42 29 5/4 44 41 33 5/7

40 41 29 5/9 5/11

41 24 20

43 22 13 5/15

43 13 5 5/18

43 0 5/22

Figure 4

including PCs and laptops that access critical systems and storage mechanisms for paper receipts, etc. Check the versions of personal identification number (PIN) entry terminals and software applications used for payment card transactions and processing to ensure they have passed PCI compliance validation. Note: Your liability for PCI compliance also extends to third parties involved with your process flow; therefore, your organization must also confirm that partner processes are compliant. Comprehensive assessment is a vital part of understanding what elements may be vulnerable to security exploitations and where to direct remediation.

Self-assessment

questionnaire (SAQ): The SAQ is a validation tool for merchants and service providers that are not required to do on-site assessments for PCI DSS compliance. Four SAQs are specified for various situations. assessors: The PCI Security Standards Council (PCI SSC) provides programs for two kinds of independent experts to help with your PCI assessment: Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV). QSAs have trained personnel and processes to assess and prove compliance with the PCI DSS. ASVs provide commercial software tools to perform vulnerability scans for your systems. Visit https://www.pcisecuritystandards.org/approved_companies_ providers/index.php for details and links to qualified assessors.

Qualified

Tracking PCI Readiness for ROC Status

Req12 (40) Req11 (24) Req10 (29) Req9 (28) Req8 (32) Req7 (7) Req6 (32) Req5 (6) Req4 (9) Req3 (34) Req2 (24) Req1 (25) Comp Control (4) 0% 10% 20% 30% 40% 1 6 23 23 25 4 50% 60% 70% 80% 90% 100% 10 7 32 6 3 11 1 2 40 22 28 28 22 N/A In-place In-progress Not-started

Figure 5

cognizant 20-20 insights

Illustrative Workstream Tracking Across Six PCI DSS Conceptual Areas

11-Mar-11
2/29 % Tasks
100% 100% 100% 13% 96% 92% 92% 90% 98% 78%

PCI Remediation:
3/11 98%

Current Plan Variance

Project Timeline Dashboard

Feb Mar
Status
Completed Completed Completed In Progress In Progress Completed Completed Completed In Progress In Progress In Progress Completed In In In In In In In In In In In In In In In In In In In Progress Progress Progress Progress Progress Progress Progress Progress Progress Progress Progress Progress Progress Progress Progress Progress Progress Progress Progress

Apr
4/2 4/9 4/16 4/23

90%
Project Name Scope Scope Scope Scope Scope Start
6/1 6/1 1/9 2/27
9/6 7/13 8/8 7/13 10/19 11/8 10/3 8/19 7/18 7/25 10/3 6/1 9/19 9/1 9/28 28/E920 9/28 9/28 9/28 9/28 10/12 9/30 10/19 12/15 2/27 10/11 10/11 10/19 10/7 10/7 10/7 10/7 10/7 11/7

100%

-2%

Reductions Reduction Activity Reduction Activity Reduction Activity Reduction Activity

A B C D

Proj #

Owner Joyce A J Michael A John G John G Anna P John G John G Pam A John G / Anna P John G / Anna P John G / Anna P Pam A Pam A Pam A Anna P Pam A John G Anna P Anna P Pam A John G / Pam A Peter K Peter K Peter K Anna P Pam A John G / Pam A Peter K Peter K Pam A John G Pam A Peter K Peter K Peter K Peter K Mike A Mike A

End
10/3 7/31 3/17 3/19
3/15 11/15 11/15 10/12 4/6 3/28 4/2 3/28 4/3 4/5 4/6 4/6 2/3 3/28 3/31 3/31 3/31 3/31 3/31 3/31 4/15 4/10 4/20 4/10 4/10 4/10 4/7 4/5 12/5 12/5 12/5 12/5 12/5 1/27

% Tasks
98%

% Tasks
100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100%

% Var
-2% -1% -1% -1% -

2/20

2/27

3/5

3/12

3/19

3/26

100% 100% 100% 99%

99% 99% 99% 99% 99% 100% 99% 98% 99% 99% 99% 99% 99% 99% 99% 99% 75% 75% 75% 75% 87% 94% 99% 90% 90% 83% 99% 99% 100% 87% 99%

Network Infrastructure Firewall Configuration / Routers Vendor Defaults System Configurations Password Encryption Encryption and Data Protection Data Storage and Retention Data Transmission Encryption of Keys (PIN, PAN) Data Protection

Vulnerability Management Anti-virus Patch Management Vulnerability Management Software Life Cycle Management Web Application Firewalls Access Control Access Control Two Factor Authentication RADIUS Password Management Facility Management Physical User Access Storage Media

Network Monitoring Audit Logging Time Synchronization (NTP) Wireless Access Monitoring Internal / External Vulnerability Scanning Internal / External Penetration Intrusion Detection File Integrity Monitoring Securities Policies Management Security Policy Use Policy Information Security Policy Security Awareness HR Policy Vendor Policies Incident Response Planning

1.1 1.1.1 1.1.2 1.1.3 1.1.4 1.2 1.2.1 1.2.2 1.2.3 1.2.4 1.3 1.3.1 1.3.2 1.3.3 1.3.4 1.3.5 1.4 1.4.1 1.4.2 1.4.3 1.4.4 1.4.5 1.4.6 1.4.7 1.5 1.5.1 1.5.2 1.5.3 1.5.4 1.5.5 1.5.6 1.5.7 1.6 1.6.1 1.6.2 1.6.3 1.6.4 1.6.5 1.6.6 1.6.7

99%

94%

100%

-1% -1% -1% -1% -

95% 97% 93% 92% 99% 99% 71% 71% 71% 71% 71% 71% 82% 98% 79% 75% 76% 69% 69% 49% -

95%

100% 100% 100% 100% 100%

100%

77%

100% 100% 100% 85% 85% 90% 90% 100% 100% 100% 100% 100% 100% 100%

100%

-2% -1% -1% -1% -1%

-1%

62%

100%

-1% -1% -1% -10% -10% -15% -15% -13% -6% -1% -10% -10% -17% -1% -1% -13% 0%

-1%

62%

100% 100% 100% 100% 100% 100% 100% 100%

Completed Completed Completed Completed Completed Completed Completed In Progress At Risk Not Started Late

In Progress (Variance <10%) At Risk (Variance 10-19%) Not Started Late (Variance >19%) Completed On-hold

Figure 6

Step 2: Remediate Remediation is the process of fixing vulnerabilities including technical flaws in software code or unsafe practices in how an organization processes or stores cardholder data. Steps include:

Re-scanning to verify that remediation actually

occurred. Step 3: Report Regular reports are required for PCI compliance; these are submitted to the acquiring bank and global payment brands that you do business with. The PCI SSC is not responsible for PCI compliance. All merchants and processors must submit a quarterly scan report, which must be completed by a PCI SSC-approved ASV. Businesses with large flows must conduct an annual on-site assessment completed by a PCI SSC-approved QSA and submit the findings to each acquirer. Businesses with small transaction flows may be required to submit an annual attestation within the selfassessment questionnaire. For more details, talk to your acquirer.

Scanning your network with software tools that Reviewing

analyze infrastructure and spot known vulnerabilities. and remediating vulnerabilities found in on-site assessment (if applicable) or through the self-assessment questionnaire process. and ranking the vulnerabilities to help prioritize the order of remediation, from most serious to least serious. patches, fixes, work-arounds and changes to unsafe processes and workflows.

Classifying Applying

cognizant 20-20 insights

Footnotes
1

PCI DSS is a standard developed by the PCI Security Standards Council, which is an open global forum; to read related documents, see: https://www.pcisecuritystandards.org/security_standards/documents. php?association=PCI-DSS. The time for each of the phases varies, based on the clients infrastructure footprint and current state of IT processes. This material was extracted from the PCI Security Standards Council; for more information on the council, visit its Web site: https://www.pcisecuritystandards.org/index.php.

About the Author

Vibha Tyagi is a Principal Consultant within Cognizants IT Infrastructure Services Program Management Practice. She is responsible for executing multimillion-dollar, large and complex infrastructure programs, and has spent 19-plus years working with companies across the consumer goods, retail, telecommunications, energy and financial services industries. Vibha received a masters degree in electrical engineering and an M.B.A. from the University of Chicagos Booth Graduate School of Business. She can be reached at Vibha.Tyagi@cognizant.com | Twitter: @VibhaTyagi2 | LinkedIn: http://www.linkedin.com/pub/vibha-tyagi/0/794/8b6.

About Cognizant
Cognizant (NASDAQ: CTSH) is a leading provider of information technology, consulting, and business process outsourcing services, dedicated to helping the worlds leading companies build stronger businesses. Headquartered in Teaneck, New Jersey (U.S.), Cognizant combines a passion for client satisfaction, technology innovation, deep industry and business process expertise, and a global, collaborative workforce that embodies the future of work. With over 50 delivery centers worldwide and approximately 156,700 employees as of December 31, 2012, Cognizant is a member of the NASDAQ-100, the S&P 500, the Forbes Global 2000, and the Fortune 500 and is ranked among the top performing and fastest growing companies in the world. Visit us online at www.cognizant.com or follow us on Twitter: Cognizant.

World Headquarters
500 Frank W. Burr Blvd. Teaneck, NJ 07666 USA Phone: +1 201 801 0233 Fax: +1 201 801 0243 Toll Free: +1 888 937 3277 Email: inquiry@cognizant.com

European Headquarters
1 Kingdom Street Paddington Central London W2 6BD Phone: +44 (0) 20 7297 7600 Fax: +44 (0) 20 7121 0102 Email: infouk@cognizant.com

India Operations Headquarters

#5/535, Old Mahabalipuram Road Okkiyam Pettai, Thoraipakkam Chennai, 600 096 India Phone: +91 (0) 44 4209 6000 Fax: +91 (0) 44 4209 6060 Email: inquiryindia@cognizant.com

Copyright 2013, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any
means, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is subject to change without notice. All other trademarks mentioned herein are the property of their respective owners.