A Worthwhile Resolution for 2019

New Year’s Resolutions. We all have them. They often sound something like this:

“This year I’m going to eat less, exercise more, and be a better spouse/parent/employee/person…” and the list goes on. Sometimes we follow through for a week, or even a month. But usually we don’t stick to it for very long.

Well here is a resolution that you can and should be making and sticking to in 2019 for both your personal and professional safety and benefit. It is time to take cybersecurity seriously. With the Identity Theft Resource Center (ITRC) reporting 1,027 breaches which includes 57,667,911 records compromised as of November 2, 2018, the statistics are pretty baffling.

Personal Security

Enable 2FA (Two Factor Authentication) whenever possible – This requires a name and password + an additional type of verification needed in order to access private info. This usually simple step of for ex: verification via your cell phone can greatly decreases the chance of a personal breach.

Manage passwords safely – Guess what?! Using your sweetheart’s name and birthdate for all your passwords while perhaps cute is not the smartest (or safest) way to keep your personal data safe. To really keep your information safe, you need to create unique passwords for each of your applications, e-mail, accounts etc. There are many password tools out there that can help keep all of your passwords safely in a single location.

Organizational Security

Risk Assessment – Are you able to make heads or tails as to where your organization is standing from a security standpoint? How well are your data and assets protected? Do we have the right policies and procedures in place to prevent a breach? Performing a risk assessment will provide your organization with an overview of your current security posture so you can then create a security roadmap and prioritize accordingly.

Penetration Testing – There are two major reasons that your organization will benefit from doing penetration testing:

1) Having a penetration test performed on your environment (aka ethical hacking), allows you to see how a potential attacker sees your organization and its vulnerabilities. With security breaches making headlines throughout 2018, now would be a good time for you to check!

2) You are looking to offer your product/services to companies A, B, & C. In most cases, the companies you’ll want to do business with require mandatory penetration testing. Be prepared today so you can sign new customers tomorrow!

Here’s to a safe and productive 2019!

Your company is going international. What about your cybersecurity?

If your company is approaching new markets overseas, cybersecurity should be a primary concern. Regulatory environments, compliance, and privacy laws differ significantly from country to country and protecting your data, as well as that of your customers, are of great importance.

Being prepared in advance will help you enter your new market quickly so you can hit the ground running.

Risk management: it’s a game-changer

Risk management is crucial, whether you are in a compliance-heavy industry or not. Having a good understanding of the regulatory environment in the countries you are doing business in is a good place to start.

Penetration testing (PT)

Assessing your risk is an important first step towards compliance. Penetration testing, sometimes known as a pen test, is a way to determine your risk through authorized hacking. Pen tests are conducted to find exploitable weaknesses in your system so that you can be better prepared for any potential threats.

The results of your PT will help you to address any security issues before you pursue the appropriate certifications.

Here are some of the essential credentials and standards you should be aware of when taking your company international:

ISO 27001 certification

ISO is an organization that deals with international standards. ISO 27001 is specifically geared to information security management and is recognized as a worldwide protocol to help companies manage risk to their data assets. ISO 27001 certification is a best-practices approach that shows your company is managing their data security in line with the highest international protocols.

PCI DSS compliance

PCI is a standard for securing the data surrounding online payments. It applies to all companies that process and store payment data for their customers and vendors and also covers third-party vendors who might also have access to this data. If you accept payments online with any type of payment card, PCI DSS standards apply to you.

GDPR compliance

The General Data Protection Regulation (GDPR) becomes law in May of 2018. This regulation protects the personal data of all EU citizens and businesses and any company that does business with EU people or entities must comply.

HIPAA compliance

The Healthcare Insurance Portability and Accountability Act (HIPAA) applies specifically to personal healthcare and medical data. If you store protected health information for your employees, you must be HIPAA compliant. This includes healthcare providers, healthcare insurance providers, and companies that handle third-party billing or data processing for any of the above.

Don’t let non-compliance be a show-stopper

Compliance with international standards is essential to your business continuity. In most cases, until you comply and show a certification, all contracts, deals or any other relations with partners or customers will be on hold.

Here are some of the methods you can use to ensure compliance and data safety:

Penetration testing (PT)

GRSee uses proven methods to discover vulnerabilities in your system through our own Application Penetration Test model.

IT Security Questionnaires

OWASP CISO Survey

The Open Web Application Security Project (OWASP) questionnaire asks a range of questions to help you determine your level of risk. Most of those questionnaires are based on the ISO 27001 standard, so if you are already in compliance with ISO, it will save you a lot of work. keep in mind, however, that your answers are simply a snapshot in time, so revisiting the questions periodically is always a good idea.

To help you manage the survey, GRSee offers CISO (chief information security officer) as a service. The CISO we assign will be in charge of answering the questionnaires and will provide solutions to any issues that are identified, functioning in a capacity that best suits your needs.

Bottom line, if your company is going international, you need to be prepared to answer to international compliance standards. GRSee Consulting is dedicated to supporting your compliance from every possible angle with specialized expertise and SaaS solutions you can depend on. Call today to schedule your cybersecurity audit.

Preparing for the GDPR: What You Need to Know

The GDPR becomes law in May of 2018. If your company does business with any EU citizen or entity, you need to be prepared for this new law, which is designed to protect and strengthen the privacy for all individuals residing in the European community.

The law applies to any business or public-sector entity that retains the personal or payment data of EU citizens. Under the law, companies will be required to be able to directly access this information for correction or deletion purposes and customers whose data is being held will have the option to “be forgotten” – meaning, if one of your customers asks for their data to be deleted, you must comply.

This is only one aspect of this very complex law, but it is a significant one. As a company looking to become compliant, it will be necessary to develop a workflow that makes it easy to accomplish these requests.

For many, this means a digital transformation will be necessary if indeed you have not yet initiated such as process. Modernization of data storage and security is absolutely crucial, especially for SMBs or enterprise, as the sheer volume of stored data will necessitate a capable data classification system in order to allow admins to isolate, manipulate, and delete data when needed.

KEY ELEMENTS OF THE GDPR

While this is by no means a complete guide to GDPR compliance, we have put together an
overview that covers the key points:

1. Data flow mapping & analysis

In order to understand what kind of data your organization processes, it will be necessary to create a data flow map to show the flow of your data from one interaction point to the next – for instance, from the supplier to the shipper, to the customer, and so on. This is meant to identify
any potential unintended use for the data and therefore requires that you consider what parties may be using the information and for what purpose.

2. Data type analysis

Your data flow maps should include the type of information being collected and how it was obtained – for instance, through a web form, direct data entry, or over the phone. Data needs to be analyzed as to the risk it may pose so that adequate measures are put in place. Being able to classify the type of data you are storing is key to assessing risk.

3. Analysis of currently implemented controls

This phase examines the legal and risk controls that you have currently implemented from a legal, organizational, physical, and technical point of view. This is primarily to control any identified risks prior to any processing of any new data.

4. Identify scope – processor or controller

The extent to which your company is liable under the GDPR largely depends on whether you are a “controller” or a “processor” of data. A data processor handles data on behalf of the data controller and so is not subject to as many obligations where the data is concerned. Though the
data controller is largely responsible for the disposition of this data, the data processor may still be liable to a degree if they are storing data on their servers, for instance, or are providing any other 3rd party service (such as a shipper).that uses the data.

5. Review of privacy policies

Data controllers will need to be more specific in crafting their privacy policies. According to the GDPR, you must provide clear information on how you are using your customer’s data. This information must be:

  • Concise, easy to understand and easily accessible
  • Written in plain language that would allow even a child to understand it
  • Provided free of charge

6. Review of third parties’ policies

The privacy policies of any 3rd party your company does business with should be thoroughly reviewed to ensure that their policies comply with GDPR regulations. This is meant to prevent unauthorized use of customer data. Article 28 of the regulation outlines in great detail how processor-controller contractual relationships should be worded.

7. Privacy review in SDLC

In addition to all the customer-facing data issues covered by the GDPR, the law also affects software development lifecycle and processes for any IT company that seeks to do business with or provide information systems for the EU. The GDPR has technical and functional implications that require a high degree of planning in the initial phases of SDLC. The earlier in the process that these items are addressed, the less complicated and costly it will be in the long run.

8. Reviewing core GDPR issues

  1. The Right to be forgotten: Article 17 of the GDPR states that customers whose data is being held have the right to ask for it to be removed.
  2. Data roaming: This issue affects the transfer of data on the open internet, as may happen in a mobile computing environment.
  3. User’s consent: users must consent to their data being used. This may take several forms, depending on how your organization used this data.
  4. Data destruction: data destruction poses a significant risk, especially when dealing with a hard copy (paper documents). If you use an asset disposal service (classified as a data processor under the GDPR) you must ensure they are compliant with GDPR regulations to reduce your risk.
  5. Review of special categories: this involves data that relates to a wide range of variables, including human resources and employee data, data relating to children, and health records for example. This area is quite complex, but it seeks to safeguard the privacy of the individuals whose data is being collected.
  6. Dispute resolution: article 65 of the GDPR sets forth the process for dispute resolution by the Board if the supervisory body finds any infringement.
  7. Cookie consent: the GDPR calls into question the current EU cookie consent laws. The GDPR sees cookies as a unique identifier, and so consent rules do apply. If cookie data is used for more than one purpose, there may be a need to establish separate consent for each use.

CREATION OF GDPR ALIGNMENT WORK PLAN

If you have not yet begun to map out your plan for GDPR alignment, GRSee can help. Though the law is multi-faceted and complex, as experienced auditors who have performed hundreds of compliance projects, including GDPR alignment projects, we have created an efficient and proven methodology that will get you up to speed quickly.

WHAT’S THE SMOKING GUN? FINES OF UP TO 20 MIL EUROS!

With so much at stake, it is imperative that your security practices need to be in place as soon as possible. Some of the mechanisms you can implement right away include privacy by design at the SDLC (development lifecycle) level, pseudo anonymization, opt-out mechanisms, redacting data, and destroying old or redundant data.

Boosting internal security is always a good idea as well, especially if you retain hard copies of any personal, payment, or other sensitive information that needs to be protected. Locked cabinets and file rooms are a good start, but establishing a secure digital storage solution is also important. Furthermore, for those who are ISO 27001 compliant, you’ve already fulfilled some of the requirements necessary for GDPR. For those not yet ISO compliant, it’s a great opportunity to kill two birds with one stone.

There’s never been a better time to start your digital transformation. Call GRSee today to set up a free consultation.

The GDPR is the Biggest Thing since SOX

To those of you who have been dealing with data governance and compliance issues since the Sarbanes-Oxley Act (SOX) appeared on the scene in 2002 – are you having flashbacks yet?
Once again, we are facing new, exceedingly strict regulations coming down the pike and once again, there are serious budgetary concerns around developing a compliance architecture. Many companies, in fact, still struggle with SOX compliance for various reasons. They adopt a reactive
rather than a proactive stance when issues come to light, which is, as we all know, an inefficient and costly way to do business.
While SOX applies to companies in the United States, the GDPR is focused on the EU. In both cases, however, there is an increasingly high degree of international overlap as companies continue to expand their global presence.
Bottom line, if you do any business whatsoever with EU citizens—even if you’re a B&B who occasionally has European visitors—you need to pay attention.
One major advantage we have heading into the GDPR is that these days, technology truly is on our side. That sign you’ve been looking for? This is surely it. If you have not yet begun your digital transformation, the time is now.

WHAT HAPPENS IF YOU DO NOTHING?

GDPR non-compliance has serious implications that will affect companies anywhere in the world who do business in Europe, or who do business with EU citizens. It’s a complex set of requirements meant to meet today’s increasing need for data protection against mounting cyber-threats as well as unauthorized use of personal data. This also extends to your marketing analytics as well as any online activities that involve collecting traceable personal identifiers.
The consequences of non-compliance are great: companies could face fines of up to €10-20M – certainly not small change. Depending on the type of breach at issue, you may also be subject to an audit, a review of your licensing, your certifications, and you could potentially face restrictions
on how you collect and process data in the future. If you are caught up in such an unfortunate situation, the damage to your company and your business reputation might be irreparable.

ACT NOW

There are so many layers of complexity in the GDPR that even the most seasoned CISO or other executive officer might be experiencing a few sleepless nights. Because of this, equally nuanced solutions are necessary. Above all, you want to avoid having to take a reactive stance in the instance that any of your systems or transactions are under scrutiny.
Even if you have an internal IT team, working with an external consultant who specializes in data protection and compliance is a good idea. Chances are, your team has their hands full with your day-to-day operations and they may not be particularly well-versed in data governance. Working with a highly specialized crew to establish your GDPR strategy will give you the peace of mind you need to move forward with confidence.

CONCLUSION

Preparing for the GDPR is a massive undertaking, but it doesn’t have to be painful. With GRSee’s proven GDPR methodologies which address data security & governance, combined with strategic policy restructuring, you can achieve compliance in far less time and for far less money than you
might think.
GRSee is America’s compliance specialist: schedule a free consultation today and find out how easy it is to get started.

5 simple steps for GDPR compliance

As the GDPR deadline of May 25, 2018 creeps closer, our thoughts turn to compliance and how to achieve it without losing any (more) hair in the process.

If you have been putting off making the necessary adjustments to your data security, privacy, and governance policies and procedures, keep in mind that the clock is ticking down rather quickly now. The good news is, by following a series of simple steps, you can clear that GDPR smoke screen and get back to doing what you do.

Here are five simple steps you can take to get you GDPR compliant with minimal pain.

1. Data flow mapping and analysis

Data classification is a major step towards GDPR compliance, but this can be particularly complex if your data is stored on physical servers, as any stored backup copies would also need to be accessible in case you needed to remove or edit a record. If you were still using tape backups, the undertaking would be virtually impossible, taking up countless IT hours for something that could be accomplished in a few keystrokes. You need to know how your data flows in and where it goes from there – including its interactions with 3rd party vendors such as shippers, email services, marketing platforms, and so on. With GRSee’s vast experience in governance risk & compliance projects, we have created methodologies that are efficient and has allowed us to successfully support your transformation.

2. Analysis of currently implemented controls

While you likely have some controls in place, each should be reviewed and considered in the context of the GDPR. This should be a step-by-step process in which you examine your data flow to see whether your existing controls are going to be adequate, if you merely need to make some adjustments, or start from scratch. This will include written policies as well as all applicable IT, hardware and software solutions.

3. Review of privacy policies

Privacy policies must be worded more precisely. You must now disclose exactly why you are collecting personal data and how it will be used, stored, and shared among your 3rd party processors. By proxy, this also mandates that you review your 3rd party vendors’ policies as well to ensure they are in compliance.

4. Review SDLC for privacy

Your software development cycle (SDLC), if this applies to you, is going to take a hit as well. The SDLC is affected substantially, in that GDPR requirements will need to be addressed in every stage of the software product lifecycle. This will be necessary in order to remain financially viable in production and avoid costly reworking later on. Problems can be avoided if these issues are addressed as early as possible in the process.

5. Creation of GDPR alignment work plan

Aligning your processes to support best practices in light of the GDPR is crucial. The earlier you begin to map out your transformation, the less tap dancing you will have to do when the law comes into effect on May 25, 2018. Preparation is the first step, followed by the implementation of effective procedures, and finally maintaining your protocols to assure ongoing accountability.

If you have not yet begun your digital transformation, the imminence of the GDPR may help you get started. Speak with GRSee to set up a free consultation.

PCI DSS Myths

Myth: Only large companies required and can undergo PCI DSS certification

Fact: Incorrect. PCI DSS applies to all entities involved in payment card processing including merchants and other entities that store, process and/or transmit cardholder data. They all must comply with PCI DSS requirements. In fact, PCI DSS was developed to enhance the security of cardholder data, that is why any entity that holds cardholder data should comply with the standard.
Non-compliance could mean high risk for these entities because when there is a security breach to cardholder data and they are not PCI compliant, they could be subjected to penalties such fine and other sanctions from banks and credit card processors. They may also be subject to lawsuits and/or governmental prosecution because of failing to protect customer data.

Myth: Using certified PCI DSS cloud (SaaS, PaaS, IaaS) which is certified, automatically becomes PCI Complaint

Fact: Incorrect, while many companies/merchants now use cloud services they still have to comply themselves with PCI DSS even though they use services from certified PCI-compliant providers.
When you are using cloud services, you have to clearly define the responsibilities of your own and your cloud service provider to maintain the compliance to PCI DSS requirements. In order to do that, you should understand the details of the offered services. Your provider should clearly identify which requirements of PCI DSS are covered by its PCI compliance program and which ones are not. The provider then has to document those aspects of its service which are not covered and make an agreement with the client (i.e. your company) that those aspects are your responsibility to manage and assess.

Myth: Once achieve PCI DSS compliant, the next year you have nothing to do.

Fact: The achievement of PCI-compliant does not mean you have reached your final goals. You still need to maintain the policies, procedures, and good practices that are consistent with PCI DSS requirements. Moreover, validation of compliance should be performed annually.
Beyond PCI DSS compliance, the standard was developed to protect cardholder data, then it is important that you implement all controls (such as policies and daily operational security procedures) that are consistent with PCI DSS requirements in your daily business activities. Only by continuously and consistently executing all these security controls including development and implementation of a security awareness program to make all relevant parties and personnel aware of the importance of cardholder data security, the objectives of PCI DSS can be achieved.

7 Benefits of PCI DSS compliance

That Will Energize You to Comply with The Standard

The Payment Card Industry Data Security Standard (PCI DSS) is a standard that comes up as an answer from card issuing banks and branded card networks (i.e. Visa, MasterCard, Discover, American Express, etc.) to strengthen the protection of cardholder data after the major card breaching, back in 2005, when 40 million cards were compromised.

That was a correct action to regain the trust from cardholders so they can still feel comfortable when using their cards to pay their transactions.

To successfully implement the standard, every organization that has obligation to comply, need to understand what benefits they will gain by being PCI-compliant. By keeping these benefits in mind, the objective of protecting cardholder data can be achieved successfully and much easier, because they know the benefits that they will get.

Actually, to comply is both obligation and investment for any merchant or organization that processes, stores and transmits cardholder data, and their investment will return in the form of tangible and intangible benefits, as follows:

  1. Security improvement – decrease the risk of security breaches
    Like any other compliance programs, many organizations may have a question in their mind before they put efforts on a journey towards compliance: is this standard providing real impact and value if we implement it or just for the sake of compliance? This question is very important to address and should be answered seriously.
    For organizations that comply with PCI DSS requirements, there is a real value that they will get. A study conducted by Verizon stated that PCI compliant organizations are more likely to successfully resist a cardholder data breach significantly up to fifty percent.
    This means the PCI DSS with 12 requirements are an adequate set of security controls to protect cardholder data if we can implement them properly.
  2. Get peace of mind of you and your customers
    So, you will feel safe and your customers feel safe too. This is the result that you will get as you’ll be much less likely to suffer cardholder data breaches.
    You feel confident that you have done anything you should do to protect cardholder data. Your customers feel safe too, they believe that they provide their confidential data to a trusted company, that is you.
  3. Improve customer relationship
    According to a study conducted by Quirk’s Marketing Research Review in 2014 stated that 69% of consumers would be less inclined to do business with a breached organization. As an organization that complies with PCI DSS, you should be able to decrease the data breach significantly. This means you will have a better relationship with the customer. They will see you as a company that has a strong commitment to protect their data.
  4. Increasing profit
    This is a direct impact on the peaceful feeling that your customers get when they have businesses with a trusted company/merchant that comply with PCI DSS.
    In its turn, this will grow the loyalty of the customers to your company and they will obviously be your free great marketing agents as they will tell their friends and relatives about your good and safe services and recommend them.
    You’ll keep existing customers with more transactions and also get new customers. More customers, more transactions, more profit. Isn’t that what you really want?
  5. Avoid costly fines. The risk is much costly than the cost to comply
    Any company or merchant may understand the benefits of PCI compliant. They may also understand that it is their obligations to comply with the standard. But as a business entity, they always consider and think about cost and benefit in any decision they make.
    Well yes of course, in order to comply they should spend some money. The amount of this investment depends on how large your company handles card transactions per year. But when it comes to cost we should compare the cost to comply with the standard and the cost if we don’t comply.
    If a cardholder data breach happens (and it is possible to happen) any involved entity will be investigated. If say a merchant involved and in the time of breaching, it didn’t comply with PCI then they will get a costly fine. The acquiring bank may have to pay a fine of $5,000 to $100,000 per month to the payment brands for PCI compliance violations. The banks will most likely pass this fine down to the merchant eventually. And as stated above, the implementation of PCI requirements properly will decrease the data breaching. This is a real benefit for the company because its possibility of receiving fine will be decreased as well.
  6. Company Image building
    Most customers may not understand the details of the standard but your compliance will make them believe that you have a strong commitment to protecting their cardholder data.
  7. Sustain Your Business
    Any merchant even with one transaction of credit cards has to comply with the standard if it doesn’t comply they will be at high risk. Think the worst case: you are subject to fines and you may also face lawsuits because failing to protect cardholder data. You will lose some money and your reputation is damaged. This may put your business in danger. So, to be PCI compliant is a must for any organization that store, process and transmit cardholder data in order to sustain their existence in this business.

When Organizations understand those above benefits, they will see that to be PCI-compliant is not just because they have to, but also because they need to in order to sustain their business, gain benefits and manage the risk they may have.

Key Success Factors

This is Why Scoping, Segmentation & Tokenization Are the Key Success Factors Towards PCI DSS Compliance

So, what are the reasons organizations fail PCI Audit?

In December 2013, credit and debit card data breaching that happened to an American discount retailer, Target, that affected 40 million shoppers who went to the store in the three weeks after Thanksgiving. This incident shows us how actual and real the threat that many organizations such as merchants are facing today. The needs to protect cardholder data
And this is the primary objective of PCI DSS.

While being compliant to PCI DSS requirements is very important but many organizations still find it’s not easy to comply.
This article covers some issues that cause PCI audit failures so we can take a lesson and do it better when we prepare to comply with the standard.

  1. RIGHT SCOPE
    Scoping of PCI DSS assessment is very important. Scoping defines the certification boundaries. Successful PCI DSS compliance heavily depends on the correct identification of the scope of assessment. The right scope will make you much easier to comply and at the same time reduce the cost of compliance.
    If your scope of PCI DSS assessment is too narrow you could potentially put cardholder data in danger, but if too broad it will make your effort harder and costlier and adds unnecessary cost to achieving PCI compliance.
    The PCI DSS categorizes system components as being either in-scope or out of the scope of assessment. Open PCI DSS Scoping Toolkit has a good method to clearly categorize each system component that will help us define the scope of PCI DSS assessment.
    The toolkit defines three categories of system components, so we can categorize each component based on this. Then we can define which system components are the most important to protect, and which are less or not too important to protect.
    Every system component within an organization can be categorized into one and only one of the following:

    • Category 1 – System components that process, store or transmit cardholder
      data or are not isolated or restricted through controlled access from other Category 1 system components.
    • Category 2 – System components that have controlled access to a Category 1
      system component.
    • Category 3 – System components that are isolated from all Category 1 system
      components.

      Figure 1. System Component Categorization (source: Open PCI DSS Scoping Toolkit)

      After categorizing system components, we can define which components in-scope and which ones are out-scope of a PCI assessment, as shown by the following tables.

      Figure 2. Mapping System Components Categories and Scoping of Assessment (source: Open PCI DSS Scoping Toolkit)

       

  2. IMPLEMENT SEGMENTATION PROPERLY
    Not implementing network segmentation is one of the biggest reason why an organization fails to comply with PCC DSS.
    We can minimize the scope using network segmentation. Segmentation means separating system components or devices that store, process or transmit cardholder data with the other components, keeping PCI-protected payment information away from less important data. We consolidate cardholder data into fewer locations and more controlled environment (i.e. CDE or Cardholder Data Environment).
    According to the PCI DSS, “To be considered out of scope for PCI DSS, a system component must be properly isolated (segmented) from the cardholder data environment (CDE), such that even if the out-of-scope system component was compromised it could not impact the security of the CDE.”
    So, it’s clear that segmentation can be very useful to reduce the scope of PCI DSS assessment and reduce the cost of the PCI DSS assessment.
    Without segmentation, for example, card-processing systems will be mixed with back office systems. This arrangement could cause the entire network in the scope for PCI DSS compliance. This will increase the amount of work to comply the standard which can increase the possibility to fail to comply the standard.
    We can implement segmentation by using several technologies, as follows:

    • Tokenization
      Tokenization can be done to reduce the scope of assessment. Tokens are used to replace sensitive data such as primary account number (PAN) data or credit card numbers.
      Credit card tokenization randomly generate a value to replace credit card data. Because tokens are randomly assigned, it’s impossible to compromise or reverse-engineer a token. The only way to see which credit card values associated to which tokens is through a token vault that is usually managed by a third party.
      By using tokens instead of PAN data or credit card numbers, merchants never see customer credit card information. They see only tokens, which are useless information for them.
      PCI DSS states that, “Tokenization solutions do not eliminate the need to maintain and validate PCI DSS compliance, but they may simplify a merchant’s validation efforts by reducing the number of system components for which PCI DSS requirements apply. Storing tokens instead of PANs is one alternative that can help to reduce the amount of cardholder data in the environment.”
      This means that tokenization can reduce the number of system components that should be assessed because the system components no longer stores or process cardholder data, only tokens. This will reduce the scope of assessment and finally reduce the cost for compliance.
      The tokenization systems components such as card vault and de-tokenization are part of the cardholder data environment (CDE) and therefore in scope for PCI requirements. In the situation which the card vault is handled by a vendor, it will be out of scope of the business that taking the payment cards.
      Organizations that use tokenization provided by third party, must ensure their tokenization vendor has been approved through the PCI SSC, and that they protect tokenization systems and processes with strong security controls.
    • Implement strict access control
      According to PCI DSS Guidance for PCI DSS Scoping and Network Segmentation, in order for a system to be considered out of scope, controls must be implemented to give a reasonable assurance that the out-of-scope system cannot be used to compromise an in-scope system component, because the in-scope system could be used to gain access to the CDE or impact security of the CDE.
      Examples of controls that could be applied to prevent out-of-scope systems being used to compromise the in-scope systems, are as follows:

      • Host-based firewall and/or intrusion detection and prevention system (IDS/IPS) on in-scope systems that block connection attempts from out-of-scope systems.
      • Physical access controls that allow only designated users to access in-scope systems.
      • Logical access controls that permit only designated users to login to in-scope systems.
      • Multi-factor authentication on in-scope systems, such as two-factor authentication (2FA)
      • Restricting administrative access privileges to designated users and systems/networks.
      • Actively monitoring for suspicious network or system behavior that could indicate an out-of-scope system attempting to gain access to an in-scope system component or the CDE.
    • Access rule via proper firewall and router setting
      We can use firewall and router rules to ensure that there is separation between network components or device such as public servers, corporate LAN, and CDE (Cardholder Data Environment). For example, we can set rule to make no traffic that originated from the corporate LAN is allowed into CDE.
      Remember that all controls to establish segmentation (such as firewall setting that limits connections to specific ports or services on specific systems) should be included in PCI DSS assessment to validate their effectiveness.
  3. REMEMBER THIS GUIDELINE
    The PCI compliance may be less expensive and much less frustration if we use the above strategies and follow this guidance:

    • Do it wisely, do what you need and only what you need.
      For example, access to CDE should be given based on business needs only.
    • Consider business constraints.
    • Consider ALL business processes.
      The strength of your security is equal to your weakest link. A company may implement tokenization, but at the same time, if its employees leave out the voice recording system or fax system unattended, your tokenization will be useless.

Carefully considering the strategies and guidelines in this article will enhance your chance to successfully comply PCI DSS.