© 2016 SecurityMetrics

USING YOUR QSA AS A

RESOURCE YEAR

ROUND

Winn Oakey, QSA

ABOUT SECURITYMETRICS

• Helping organizations

comply with mandates,

avoid security breaches,

and recover from data theft

since 2000

AGENDA

• Achieving compliance

with your QSA

• Time saving tips for your

next audit

• Best practices to prepare

for your audit

• One year audit plan

ACHIEVING COMPLIANCE

WHAT HINDERS PCI?

• Often, management/executives

don’t see the necessity of PCI

compliance:

– Budget issues

– Company culture

– Company procedures

If you’re breached, it could be

a company-ending risk.

PCI IS A TOP-DOWN SYSTEM

• Executives need to know:

– What’s required

– What changes need to happen

– Why (e.g., financial reasons,

penalties)

Any time your environment

changes, tell your QSA.

CHANGING ENVIRONMENTS

• Whenever bringing on new

systems, ask how it changes

your:

– PCI Scope

– PCI environment

– Process of documentation

– Employee training

UNDERSTANDING YOUR SCOPE

• Has your environment changed?

• New PCI rules?

• What impact new rules have on compliance?

– E.g., PCI DSS 3.2

– SSL and TLS

The biggest problem is when

organizations think they’re

PCI compliant, but aren’t.

HOW A QSA HELPS

• Their goal is to help you reach compliance

• Knowledge of common issues and how they

are being handled

• Understand PCI requirements

• Offer best practices

WORKING WITH YOUR QSA

• Create an ongoing relationship

throughout the year

• Keep documentation up-to-date

• Send documents to QSA

– Especially when changes occur

COMMON QUESTIONS TO ASK

• New Requirements

– What are the new changes?

– What should I do?

– When do I have to implement?

– How does it affect my environment?

SAVING TIME

It’s not about finding time. It’s

about maximizing the little

time you have.

NEW TO PCI?

• PCI can be a beast

– Break into manageable

pieces (i.e., 2-3 things

per month)

– Make a process for the

future

• Ask your QSA about a

Gap Analysis

ALREADY PCI COMPLIANT?

• Keep documentation

• Finish requirements on timelines

• Ask QSA about new PCI requirements

• Proper scoping

PLACE SOMEONE IN CHARGE

• At least one individual responsible for PCI

requirements

• Give them power to act and implement changes

• Monthly, if not weekly meetings with executives

The PCI declaration occurs

once a year, but PCI needs to

be a continual process.

SCHEDULED TIMELINES

• Many PCI requirements are on

scheduled timelines.

Remember to have them:

– Completed

– Documented

– Ready to demonstrate

UNDERSTAND YOUR ENVIRONMENT

• L1 or L4 merchant?

• Ecommerce vs. in-person?

• Which SAQ do you need to fill out?

• How your data flows through your environment?

It’s better to validate your

compliance and security than

to discover problems.

TRANSPARENCY

• Send all necessary PCI

documents to your QSA

• Be completely open with

your QSA

– Don’t hide weaknesses; no

one gains anything

– Ultimately speeds auditing

process

PREPARING FOR YOUR AUDIT

PRE-ONSITE AUDIT

• Prior to your onsite audit, you should review:

– Your systems

– Evidence of compliance

– Your business model

– PCI questions

• Ask QSA questions

You should talk with your QSA

at least quarterly, if not more.

QUESTIONS TO ASK

• What changes are you seeing?

• How do secure organizations

address those changes?

• What are some other best

practices?

ONE YEAR BEFORE YOUR AUDIT

• Look at requirements that need to be done in a

timely manner (e.g., monthly, quarterly, 90 days,

etc.)

– What are those requirements

– Where you stand

– Who’s responsible

– How they capture these results

– Reporting plans

ONE YEAR BEFORE (CONT.)

• What changes are happening

with PCI requirements (e.g.,

EMV, new technology)

– What do you need to do

– How do you plan to meet

timelines

6 MONTHS BEFORE

• Start your own internal audit

– Look for card data in the “wild”

• Review logs and processes

• Work more closely with your QSA

– Pass on information and documentation

6 MONTHS BEFORE (CONT.)

• Prepare to fix your system

• If a tool is needed or process

changed, these changes may

take a quarter for approval,

purchase, and implementation.

3 MONTHS BEFORE

• Have we covered the following areas:

– Our understanding of PCI

– Review compliance

• Implement changes

• If possible, do another internal audit

ONE MONTH BEFORE

• Work with key individuals

– Know who should be interviewed

– Discover what’s required of them

– Put together needed documentation

– Make assignments

• E.g., gather logs, review processes

ONE MONTH BEFORE (CONT.)

• Review your systems

• Check-in with your QSA

TAKEAWAYS

DON’T FORGET TO . . .

• Understand what

requirements you have to

follow

• Schedule and do all

requirements on time

• Take time to understand

PCI requirements

DON’T FORGET TO (CONT.) . . .

• Tell your QSA when your

environment changes

• Send all necessary

documents to your QSA

• Talk with your QSA at least

quarterly

It’s important to be compliant,

but it’s vital for your

organization to be secure.

www.securitymetrics.com

QUESTIONS?