Visa CISP / PCI Background:
In 2001, Visa USA instituted the Cardholder Information Security Program (CISP) with the intent to protect Visa cardholder data, wherever it resides. All Visa members, merchants, and service providers that process, store, or transmit cardholder data are required to comply with CISP. To achieve CISP compliance, companies must meet the Payment Card Industry (PCI) Data Security Standard, which is a joint effort from Visa and MasterCard.
Why haven’t you heard of Visa’s CISP or PCI? A lot of others haven’t: while all companies have been asked to comply by June 30, 2005, Visa estimates that only around 30% of affected companies were compliant by that date. You can find out more about CISP and PCI at Visa’s Operations and Risk Management - Cardholder Information Security Program webpage.
Not complying with CISP can be a serious matter, as fines of up to $500,000 per incident can be levied from a single security breach. By complying, not only is a company protected against such fines, it also gains a better image, a more quantifiable level of security, and its customers are further protected against fraud and identity theft. Perhaps the most important reason for small to medium-sized businesses to comply is to avoid a compromise. After a hack or attack that results in a loss of customer data, businesses are reclassified at a higher level of risk, requiring more costly annual audits, and other potential costs.
It’s all about the policies:
The PCI Data Security Standard (PDF, 149k) consists of twelve basic requirements, and almost 200 sub-requirements:
| PCI Data Security Standard |
| Build and Maintain a Secure Network |
- Install and maintain a firewall configuration to protect data
- Do not use vendor-supplied defaults for system passwords and other security parameters
|
| Protect Cardholder Data |
- Protect stored data
- Encrypt transmission of cardholder data and sensitive information across public networks
|
| Maintain a Vulnerability Management Program |
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
|
| Implement Strong Access Control Measures |
- Restrict access to data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
|
| Regularly Monitor and Test Networks |
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
|
| Maintain an Information Security Policy |
- Maintain a policy that addresses information security
|
Requirement 12 states “Maintain a policy that addresses information security”, specifically:
| 12.1 |
Establish, publish, maintain, and disseminate a security policy that: |
| |
| 12.1.1 |
|
Addresses all requirements in this specification. |
| 12.1.3 |
|
Includes a review at least once a year and updates when the environment changes. |
|
| 12.6 |
Make all employees aware of the importance of cardholder information security |
| |
| 12.6.2 |
|
Require employees to acknowledge in writing they have read and understood the company’s security policy and procedures. |
|
Requirement 12.1.1 states that the security policy must address all of the requirements (1-12) in the PCI Data Security Standard (over 200!). Some of the types of policies to address all of these requirements include:
- Password Policy
- Wireless Security Policy
- Audit Policy
- Data Retention and Disposal Policy
- Change Control Policy
- Physical Security Policy
- Etc.
Where Policy & Procedure Manager fits in:
Spinning-Wheel, LLC specializes in helping companies prepare for PCI audits, and enabling them to pass the technical and operational hurdles required for compliance. To describe how important having a policy system is, Spinning-Wheel President, John Deatherage, uses the classic philosophy question: “If a tree falls in the woods, and there’s nobody there to hear it, does it make a sound?” A company might have excellent policies and procedures in place, but use inefficient procedures to disseminate those policies, and ensure they are read and understood by users.
Spinning-Wheel was looking for a PCI Compliance solution to offer its customers that would not only meet the PCI Requirements, but also increase employee awareness of the company’s security goals and vision in a clear, documented manner. They were requesting the following features:
- Web-based Policy and Procedure system
- Access control based on business unit, or virtual groups of employees
- Document revision, review, and approval history with archival
- Automatic annual or custom review notification
- Assign custom categories to documents
- Employee acknowledgement
- An affordable solution
Web-based Policy and Procedure System:
Policy & Procedure Manager (PPM) is a web-based solution, which means it can easily integrate into a company’s intranet, alongside other services. A PCI auditor can easily be given access to the system for good visibility into a company’s policy.
Access control based on business unit, or virtual groups of employees:
Users can be grouped based on business unit, and also by virtual groups, making it easy to have cross-departmental reach to include all PCI-affected users.
Document revision, review, and approval history with archival:
Multiple reviewers and approvers can be assigned, and when a document is approved, the older version is archived. All of these events are stored are logged, and the approval chain’s history is recorded. Several PCI requirements ask for management approval, and this can be facilitated with forms in PPM.
Automatic annual or custom review notification:
This feature is a perfect match for PCI Requirement 12.1.3, which states that policies must be reviewed annually, or when the environment changes. Automatic notification takes place through email reminders, and the frequency is customizable. Another great use: several other PCI sub-requirements also ask for routine tasks to be completed on a regular basis. The procedure or the form for the task can be stored in PPM, and the responsible party will receive an email notification every time they need to fill out the form again. This gives PCI auditors easy access to information, and can help reduce audit times.
Assign custom categories to documents:
By adding custom PCI-related categories to the database, Spinning-Wheel was able to easily verify that all of the PCI Requirements that needed to be covered in a policy or other document were present.
Employee Acknowledgement:
Upon accepting a policy, the employee is presented with a dialog, giving them the choice of accepting the policy. This meets Requirement 12.6.2, which states that all employees must acknowledge policies.
An affordable solution:
Document Control systems are very expensive, and may not offer ROI for smaller companies. Spinning-Wheel found that PPM has all of the most important features (automatic review, approval chain, archival, employee signing) needed for PCI compliance.
|
