PCI Remediation Plan | A 12 Step Process that Works | Part I

PCI remediation is often a necessary step for many merchants, service providers, and other businesses having to comply with the Payment Card Industry Data Security Standards (PCI DSS) provisions.  And yes, PCI remediation can be a time-consuming and arduous process for all involved, but following a structured, proven PCI remediation plan is what every business needs.  With that said, the following process has been developed by PCI-QSA Charles Denyer of NDB Advisory (cdenyer@ndbcpa.com | 1-800-277-5415, ext. 705). It's a 12 step process that should work quite well for any entity looking to become PCI DSS compliant.  Look at is as both a road map and a remediation plan of action for PCI.

1. Determine the "type" of PCI DSS compliance your organization needs. There are numerous PCI DSS "Self Assessment Questionnaires" (SAQ) that can be used for self-reporting, and there's also the heavyweight of them all, an actual on-site PCI DSS Level 1 assessment conducted by a QSA. In short, your business process along with possibly your cardholder transaction volume will dictate the "type" of PCI compliance.  And keep in mind that "self-assessing" is easier said than done because there can be quite a bit of work to accomplish, particularly if it's SAQ form D, which closely resembles the requirements for an actual on-site Level 1 assesssment.  

2. Conduct a preliminary gap analysis on the applicable framework. Great, so you've identified the appropriate SAQ form or perhaps you now know that it's an on-site Level 1 assessment that needs to be done.  The next step is to gather the troops and conduct an extensive gap analysis based on the requirements in either the applicable SAQ or within the full PCI DSS standards for a Level 1 on-site assessment.  You can find all these documents at www.pcisecuritystandards.org.

3. Place remediation items into specific categories. Different people have different skill-sets, thus it's important to identify the major categories of PCI remediation. Who is good at writing and can develop policy and procedures? Who's the expert at configuring servers and the underlying operating systems and applications that reside on them?  From a technical, operational, and business-process perspective, it's imperative you create these "buckets" of categories relating to remediation.

4. Determine parties responsible for the ownership of all remediation efforts.  Great, you've got the parties identified, now it's critically important that they begin actually taking "ownership" of these areas. This means quite a few things, such as the following: (1). Determining what exactly needs to be done for getting these areas compliant. Specifically, do you need additional products, tools, or possibly even extra man-power for areas you may not have the time to work on or the technical expertise?  (2). From this initial determination, a documented list, memo, etc. (i.e., project notes) should be in place that clearly illustrates the aforementioned issues just discussed.

5. Seek out products, tools, and services for remediation. There are numerous open-source products along with information security policy templates to assist with many areas requiring remediation.  PCI-QSA Charles Denyer's three-part Top 10 PCI Remediation list gives an even greater illustration of the many issues companies face regarding PCI DSS compliance, so it's worth reading.  Two areas that always require remediation are the (1). development of policies and procedures (templates can be obtained from pcipolicyportal.com) and (2). technical issues, which can vary greatly, but often revolve around provisioning and hardening, logging and audit trails, along with implementing additional monitoring tools, such as File Integrity Monitoring (FIM).

6. Identify external resources, where necessary. Ownership of the remediation efforts is one thing, but implementation and actually doing what needs to be done is another. With that said, it's very important to determine if you don't have the adequate resource internally, then you'll need to get some hired guns right away. And much like the two main areas listed above that require remediation, often companies seek out individuals to (1). assist with developing policies and procedures, and (2). implementing various technical requirements as mandated by PCI DSS compliance.

Continue to Part II of the PCI Remediation Plan | A 12 Step Process that Works