I recently spoke on the best practices found within the PCI DSS and networking security practices. The audience represented both providers of payment transactions, retail services, and banking solutions. The singular focus provided a forum to dive deeper into the security and compliance intents of PCI DSS while not damaging the worth and importance of the other sections (a common result of focusing on singular areas).
Given the presentation is not available publicly online, I wanted to list the key points highlighted below. As always, please contribute and expand on any area that you have experience or curiosities.
Key points to consider include:
- Defining the boundaries of the sensitive data, and subsequently for auditors and managers the scope of the audit and control environment.
- Addressing specific lower limit control practices
- Establishing a monitor / feedback system
- Usage of Compensation Controls
I will briefly expand on each of these central tenets…but of course, please do dig into each area – there is simply not enough real estate here to adequately cover all aspects.
Scoping and Limiting Key Controls:
- Establish Segmented environments, and utilize sufficient authorization and access control technologies
- For example: Separate POS network from common network through firewalls and such
- Maintain secure configurations – develop them based on a plan, validate they meet objectives through 3rd party method, restrict modification while in the field, and update consistently
- Take advantage of self-evaluation opportunities to strengthen control environment and supportive documentation.
- These are successful when the scope is reserved, the notifications are accurate, and there is consistent follow-through from all aspects of the organization
- The PCI DSS recognizes some organizations have robust controls, but may not precisely identical to those advocated… if the intent is met than submit a request for an exception to a specific control.
- Precedent exists and it is prudent to integrate only supportive and not duplicative safeguards
As always, please vet your organization from its own unique perspective. I firmly believe that organizations should regularly evaluate their own business procedures (including processing cardholder data), and if necessary to integrate and not add-on the PCI requirements.