PCI 3.0 compliance can be complicated, but if there’s one aspect that can feel especially time-consuming, it’s documentation. Trust me on this – Armor just successfully completed its own PCI 3.0 audit, and, just like you, we had to show written evidence to pass our compliance audit.
I have some good news, though. If you’ve tackled PCI compliance in the past, you might remember that PCI DSS 2.0 wasn’t always clear on the kind of documentation needed. Because of this ambiguity, many people – such as auditors, QSAs or security professionals – had questions on just what they had to provide. Luckily, 3.0 includes additional guidance right there in the revised standards. Instead of simply being told to document something, you’ll know what you need to document.
Let’s look at the areas you’ll need to focus on.
- Data flows. Having defined and validated your CDE, you’ll need to document your work. That means network diagrams that outline connections and accurate diagrams of your cardholder data flows.
- Inventories. As you know from defining your CDE, creating an inventory of all relevant components is critical. You’ll need to include all security services and segmentation systems, virtualization and network components and server types; all internal and external applications should be in the mix as well. Remember also that you must describe your processes (and their purposes and functions) and all relevant personnel, such as employees who process cardholder data or have access to cryptographic keys. Finally, remember this isn’t a one-time obligation – your inventory must be accurate at all times.
- Policies and Procedures. Here we’re talking specifically about your compliance policies, which are high-level statements concerning a particular area, and the procedures you implement to carry out those policies. Why does PCI ask for these? Because they want you to show that you understand the intent of PCI controls and have successfully implemented them within your environment.
- Pen testing. We’ve talked about the importance of pen testing to ensure your new controls. You guessed it, this is something else you’ll need to document. Be warned that 3.0 requires that you develop and document a pen testing methodology that will validate your CDE definition and segmentation controls and that you provide to whoever will conduct your pen testing.
- Risk assessments. Hopefully you know just how important risk assessments are – but here’s a quick primer anyhow. To conduct yours, you’ll start by documenting how your organization handles cardholder data, then identifying the risks you face. After you’ve detailed every kind of threat (including natural disasters, malicious human attacks and environmental threats), you’ll need to assign risk levels to each by assessing the likelihood of those threats occurring, and the severity of their impact. That means assessing the number of people impacted, the cost of the impact, and the impact to your brand reputation. Finally you’ll need to create and implement risk mitigation strategies.
How does this relate to your PCI documentation? In addition to strengthening your security posture, a good risk assessment will generate much of the documentation PCI wants you to provide. Basically, by conducting a risk analysis, you’ll kill two security birds with one stone.
Well, that’s a quick overview of documentation. For the full story, check out our recent webinar on “PCI 3.0 –Documenting Your Compliance.” We’ll share additional guidance on making your documentation go as efficiently as possible and provide further detail on exactly what you need to document. Hope to see you there – until then, stay secure.
Remember, you’re not alone if you need guidance on protecting and optimizing your PHI in the cloud. A lot of healthcare IT teams are in your shoes. But as long as you stay educated and ask the right questions, you’ll know how to select a skilled provider who goes empty promises and delivers the cloud expertise you need.