Chapter 10 How to Plan a Project to Meet Compliance

Introduction

You have determined that your organization needs to comply with the Payment Card Industry (PCI) Data Security Standard (DSS) and, looking at the requirements, you are not sure where to start. Should you jump in and go though the 12 PCI DSS requirements one at a time, ensuring that the requirements are in place, or should you first figure out at what level you need to comply. How will you make sure that your fellow associates are on board with the changes you are proposing so that you can comply with PCI DSS in an efficient manner? How will you make the compliance effort come together? After putting the plan together, how will you ensure that your fellow associates have the training and information in front of them to help keep your company from falling out of compliance? Putting together a comprehensive project plan will allow you to manage your compliance project efficiently and, in the end, achieve PCI DSS compliance.

This chapter will answer your questions about how to achieve compliance. You will learn how to justify putting in the effort and figure out if you need to comply at all. Once you know you have to comply with PCI DSS, we will help you bring all the players to the table to help build and enforce the compliance plan. We will give you tips on how to budget your time and resources so that you can achieve compliance quickly. Once you have your plan in place, you will need to get the message out to your staff and ensure they receive the right training to make sure your organization does not fall out of compliance. By the end of this chapter, you should have a clear plan on where to start with your own PCI DSS compliance efforts and the steps you will need to plan a project to meet compliance.

Justifying a Business Case for Compliance

One of the first steps of any compliance plan is to justify putting in the effort. You must first figure out if you need to comply with the PCI DSS regulation and also figure out if you have any overlap from other compliance plans that are already in place. Once you know compliance is a must, you need to figure out at what level you need to comply. PCI DSS compliance comes at four different levels and the requirements of compliance you need vary based on that level. The biggest question should be what is the cost of non-compliance. Compliance with the PCI DSS is mandatory. If you are not compliant you could be hit with fines and your credit card processing services could be terminated. That fact alone should help you justify putting in the effort.

Figuring Out If You Need to Comply

Your first step with any compliance effort should be figuring out if you need to comply with a regulation, so that you don’t waste a lot of time putting in measures that you are not required to have. Once you have figured out what requirements you need to comply, it will help bring management and others on board to help you with the effort.

Compliance Overlap

Once you determine that you have to comply, you need to look at what other compliance plans you have in place to see how you can leverage the investment you already made, which should help fast track your PCI DSS compliance plan. In the world of security regulations dealing with the protection of data, there is overlap (as shown in Figure 10.1) as most of the regulations are simply good business practices to have in place. So pull out your Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Sarbanes Oxley (SOX) compliance plans, and figure out which components you can reuse for your PCI DSS compliance plan. You might find that you are already in compliance, but need to document that the measures you have in place are consistent with the PCI DSS regulations.

Leveraging Compliance Overlap

To figure out how to leverage your other compliance efforts, the best place to start is to set up a meeting with the team leaders from that project. You need to get an idea of how the project went and how management accepted it. The main point is to find out what the other teams have done in their compliance effort and see what elements you can bring over into your PCI DSS compliance plan. For example, HIPAA and PCI DSS both have rules regarding encrypting data. Can you use your encryption policy and procedure from HIPAA for PCI DSS compliance? That answer will come as you talk to your HIPAA compliance team leaders and review the policy and procedure to see if it already fits the PCI DSS encryption requirement. Your company policy for HIPAA compliance should mandate that you have encryption in place as you transmit protected health information across public networks like the Internet. Requirement four of PCI DSS states that you need to encrypt cardholder data as it transmits across public networks. In this case, you do not need to recreate the wheel; you might just need to reclassify what type of data is required to be encrypted. Any efforts spent in leveraging your existing regulatory compliance will help to shorten the time it will take for you to become PCI DSS compliant.

The Level of Compliance

Now that you are on your way to planning your compliance project for PCI DSS, you need to figure out at which level you need to comply. Unlike other regulations that present you with an all or nothing stance on how to comply, PCI DSS compliance is based on how many credit card transactions a merchant processes. The more transactions that are processed the stricter the compliance plan will have to be.

For most organizations, compliance consists of passing a security network scan and completing a self-assessment questionnaire. If you process transactions in the millions, you will need to become certified as PCI DSS compliant by a certified vendor. To help you determine at what level your organization is at and what the compliance requirements are, see Table 10.1.

What is the Cost for Non-compliance?

The question that should be answered during your justification process is what is the cost for not complying with PCI DSS. In all cases, the costs far outweigh the benefits of being compliant. Can your organization afford the fines and penalties, bad media press, and damage to its reputation?

In some cases when dealing with risk, you can look at what that risk is and deal with it in different ways. The options are whether to resolve the issue, transfer the risk, or ignore the risk. The way PCI DSS spells out its 12 requirements, the only way to truly deal with the elements are to resolve the issue or transfer the risk. Transferring the risk might mean that you outsource or bring in a managed service to deal with that requirement. Therefore, when you transfer the risk you are still dealing with it indirectly. Ignoring the risk in PCI DSS is not an option, because as you fill out your self-assessment questionnaire, if you answer no to any question, you are non-compliant. If you have a breach of data and auditors are brought in to verify your compliance, your penalties could be steep.

Penalties for Non-compliance

When your organization is found to be out of compliance with PCI DSS, the penalties can be severe. In some cases, the organization could be forbidden to store, process, or transmit credit card information. If you ran a retail store, think of the impact of not being able to process credit cards. This could cost you your business. Financial penalties and deeper audit requirements could also result. With the advent of new privacy laws in different states, you might be required to notify your customers of a breach and also provide them with additional services such as credit reporting services. Once notifications go out, your organization’s reputation could be dragged through the media. Looking at what it takes to comply, it should be easy to see how and why you need to put together your PCI DSS compliance plan.

Bringing All the Players to the Table

Once you have justified your compliance effort, it is vital that you bring all of the players to the table to ensure that a successful project will take place. You need the correct corporate sponsorship, otherwise senior management could reject any plan you put together. You need to look at your organization from the top down and identify each of the key people that are necessary to put the plan together, which will form your compliance team. You need to identify the key members of your team to tackle components of the compliance plan and keep the project moving.

Compliance plans can be won or lost based on the participants you bring in to help you with the project. It is vital to bring the correct people to the table as you need to be swift in putting your plan together. Look hard at the people you bring into your team, as they will either make putting together the compliance plan a success or a failure. Remember what non-compliance can bring; failure is not an option.

Obtaining Corporate Sponsorship

Management sponsorship is the critical success factor for any compliance effort. If senior management does not support the process, support from the staff will also lack. Why should they comply if your manager is not in compliance? As the leader of your compliance effort, you need to first work with your senior managers to help them become aware of the issues and let them understand the justification of why you need to comply with PCI DSS. Make them understand the cost of non-compliance, and they will back you as soon as they realize that the company could be in jeopardy for not complying. Start at the top, because the sooner you gain support from the CEO, the faster you will get support from the Vice President and other senior management.

Attempt to get a senior manager on your compliance team. When other employees in the company hear that he or she is part of the team, the entire project will get more support, which will help drive home the fact that the compliance effort is vital for the organization.

Forming Your Compliance Team

Your compliance team is the focal point of your compliance project and is responsible for the success of the project plan. The best time to create your team is after you have received corporate sponsorship. Many times people who heard about the compliance project from a manager and want to participate will approach you. You need to get a good mix of people on the team to make the most impact. The PCI DSS has 12 requirements that can touch different departments in your company, so be sure to include at least one person from each of those functional areas. For example, PCI DSS requires you to build and maintain a secure network; therefore, if you do not get a team member involved from networking you cannot be sure that a firewall is installed or maintained going forward.

Roles and Responsibilities of Your Team

Your compliance team will help set the pace and scope of your compliance project. The selection of participants will make the project a success, but it is important to make it clear from the beginning which team member will be doing what by assigning roles and responsibilities to your team members. You will need your team to assist in the following ways:

• Work with managers and other team members to set the scope of the compliance project
• Select leaders for each of the areas where you need compliance
• Analyze information needed for the compliance plan
• Able to work with senior management to ensure that the end result is compliance

Getting Results Fast

The best way to ensure a successful project and gain the respect from all levels of your organization are to get results fast. As you are planning your compliance plan, you need to identify some low-level compliance issues and have your team tackle those first. People want to see results, and the faster you can show them results the more confidence they will have in the project. If it takes you months to get the first item addressed, people might wonder if the organization will ever be compliant and actually get complacent about the compliance effort as a whole. It could derail all of your efforts up to this point. Getting some results early on keeps the momentum and support moving in a positive direction for your entire project.

Helping to Budget Time and Resources

In order for your project to be a success you need to ensure that it is managed correctly and that it does not take too long to complete. As it was important for your team to get some results early on, you must continue to make sure that you set expectations, goals, and milestones. Figure out early on how you will manage the time and resources of your team and you will have a successful compliance project.

Setting Expectations

Setting expectations is a key factor when budgeting time and resources with your team. From the first stages of your compliance project, your team needs to know what to expect from you, other team members, and management. If this is a priority one project, the team needs to know that all other tasks are secondary until the compliance plan is in place. You also need to be sure you set the right expectations with management about what they should expect about the compliance plan.

Management’s Expectations

Knowing from the beginning what management expects out of this effort should be one of your first tasks. Before you bring the team together, you should talk to senior management to make sure you understand what they expect out of the project and that you understand the timeline in which the project must be done. Also, be sure to understand the criticality of the compliance effort to the organization, as that will help you get a pulse on the project itself.

Once expectations of the compliance project are in place and management has signed off on these expectations, you need to document them and share them with all of the members of your team. By having all of the team members of the compliance project working with the same set of expectations, you are one step closer to having a successful project. If management feels the project needs to be done in four weeks but the team actually needs eight weeks to complete the tasks, be sure to set the correct expectations.

Establishing Goals and Milestones

Once a timeline is in place, it is important to set goals for the team on when key items should be complete. You want to make it very clear when project items are due and when parts of the compliance plan need to be in place.

Start by listing the goals of the project and assign those goals to team members. Make it clear when goals need to be met, as some will have prerequisites that must be finished before you can move on to the next task. Having goals in place will keep the project moving in the right direction. Set up milestones for success and publish your plan for everyone involved to keep up with what is complete.

A good way to keep your time and resources managed is by using project planning software such as Microsoft Project, which allows you to create Gantt charts that map resources to goals (see Figure 10.2). Gantt charts give you a way to easily report on your compliance project. If an item slips or is completed early, the chart will adjust and keep your project in line with the project timeline.

Having Status Meetings

The key to keeping your project on time is to have weekly team status meetings. The meetings should include your compliance team members and each should be prepared to report on what they have accomplished in the past week and what they will be working on in the next week. These meetings also give team members a chance to compare notes and bounce ideas off of each other if they are stuck on a problem.

You should also have status update meetings with the senior management team on a regular basis. Depending on the length of your project, the meetings should be, at a minimum, once a month. During these meetings you can go over your goals and milestones and show how the project is moving along. It will also give the senior managers a chance to give their input on the project and reinforce the support you need from them.

Be prepared to hand out copies of your working project plan Gantt chart. It will give a clear picture to your senior management team of where you are in the process and who is working on what issues. It is a good idea to send these charts to the managers beforehand to give them time to review the progress so that they can determine the guidance and support you will need.

How to Inform/Train Staff on Issues

Training can make or break any compliance project. You need to make sure from the first meeting that there is a training component to make sure all members know how the project will run and make sure they have all the necessary information to move forward with their part of the compliance project. Also, when your compliance program is in place, you need to make sure that part of that program includes training. Many of the PCI DSS requirements require that you maintain the requirement after it has been developed. The only way to do this is through a series of reminders and recurring training classes for your organization’s employees. Having a training program in place from day one will go a long way in keeping your organization compliant after you have completed your compliance plan.

Training Your Compliance Team

When your compliance team meets for the first time you should divulge common information to all members. Items should include:

• An overview of the PCI DSS
• An overview of the PCI DSS compliance effort for your organization
• Why your organization is going through the process
• A review of the project plan itself at a high level to share goals and milestones
• A review of any elements the team might be submitting (i.e., how a policy should be written or status reports)

Training you compliance team will help to spell out how to accomplish putting the plan together and executing it to make your organization compliant. It will also get all members on the same page about what PCI DSS is and why your organization is going through the effort. You want to remove all myths around the project and level the playing field for your team members, so they can be successful in making your organization compliant.

Training the Company on Compliance

After your project is complete and you deem your organization to be compliant, you need to make sure the rest of the company knows that you need to maintain a level of compliance. You do not want to have a violation in the first week because an employee did not know of the need for compliance.

You need to put together a corporate compliance training program that all new employees go through and that all employees go through annually, which acts as a refresher course and also gives you a chance to present any information that has changed over the past year.

Setting Up the Corporate Compliance Training Program

Be sure to set up your corporate compliance training program as an element of your compliance plan. Get the Human Resources department involved early on in the process, to make sure that all employees of your organization receive the training. Many times you can leverage existing programs (e.g., new employee orientation) by injecting your new hire training program into it.

The compliance training program is more than just creating a one-time training class for your employees. The following elements should be incorporated for a successful program:

• Create a new hire training class that all new employees are required to attend. Work with your Human Resources department to see if this training class can be injected into an existing orientation program, or be sure you are a part of the process so your training team is notified about new hires.
• Create an intranet Web site that outlines key elements from the compliance training so employees have a good source to review information.
• Create a series of reminders to help keep the compliance effort on the minds of the employees. Good ideas for this are awareness posters, articles in your company’s newsletter, and even compliance days where you can make a fun event around being PCI DSS compliant.
• Create a recurring annual training program for employees, to make sure they are reminded about what they need to do to comply. The recurring training program can work either as a live training class or a Web-based training class that they can take when time permits. Either way the training is presented, it should be required to keep your organization in compliance.

With the right training programs in place, you can be sure that from the first meeting of your compliance team to the annual recurring training for your associates, your compliance efforts will have a lasting effect on your organization.

Where to Start: The First Steps

It can seem like an overwhelming task to put together a compliance plan for PCI DSS. You are probably asking yourself where to start. Who do you get involved? When do you look at the PCI DSS Self-assessment Questionnaire? This section will get you pointed in the right direction and give you the first steps towards getting your organization compliant with PCI DSS.

The Steps

We know what we need to do to plan a project to meet compliance, but when it comes to PCI DSS what are the specifics you should be looking at to become compliant quickly and efficiently. (For an overview of the steps, see Figure 10.3.)

Step 1: Obtain Corporate Sponsorship

Once you have corporate sponsorship, you will have the backing for all of the steps of your compliance project plan. Be sure to meet with these members of your organization first to get the sign off and acceptance that your company needs to be PCI DSS compliant.

Remember, you need to make sure you get support from the highest level possible in your organization. Getting the backing from senior managers will help to ensure that the rest of the employees will be willing to work with you on getting compliant with PCI DSS.

Step 2: Identify and Establish Your Team

This is a critical step because it could make or break your compliance project. You need to be sure to select your team members from the appropriate areas of your company. Include the business leaders that have to worry about PCI DSS compliance and also the techies in the trenches who are setting up your networks. Having a good mix of key players will help your project succeed.

You should choose leaders for each of the 12 requirements of PCI DSS. If you break up each requirement you will be in a better position to complete your effort in a timely and concise manner. You should also set up a training class during your first team meeting to review what PCI DSS is, why your company has to comply, and the initial plan of what needs to be done to get into compliance.

Step 3: Determine your PCI Merchant Level

You need to know what your PCI merchant level is, which will tell you how you need to comply with PCI DSS. Talk with your team members that are from the business side, and figure out how many transactions you perform. Then refer to Table 10.2 to help you figure out your organization’s PCI merchant level.

Table 10.2 PCI Merchant Levels

Level	Description
1	Any merchant processing over 6,000,000 transactions per year. Any merchant that has been involved in a hack or attack that cased a data disclosure. Any merchant that PCI determines should be at level 1 to minimize risk to cardholder data.
2	Any merchant processing 1,000,000 to 6,000,000 Internet transactions per year.
3	Any merchant processing 20,000 to 1,000,000 Internet transactions per year.
4	Any merchant processing fewer then 20,000 Internet transactions per year and all other merchants processing 1,000,000 transactions per year.

Knowing your merchant level will set the stage for what exactly you need to do to comply; each level has different requirements for compliance. It is important that you determine this early on in the process, because as you get closer to level one, your compliance effort will take longer and involve more resources. If you are not at level one from the start, you will want to periodically review how many transactions you are processing especially if you are on the border. If you slip to another level you will also slip out of compliance.

Step 4: Complete the PCI DSS Self-assessment Questionnaire

You need to complete the Self-assessment Questionnaire in one of your first compliance meetings, because the results of the questionnaire will give you clear guidance on how compliant your organization already is or is not with PCI DSS. The questionnaire can be found at the PCI Security Standards Council Web site at www.pcisecuritystandards.org/tech/supporting_documents.htm. If you answer “No” to any of the questions, you are not in compliance. The questions on the questionnaire map directly to the requirements of the PCI DSS. When your organization has the questionnaire complete, it will be indicate not only if you are compliant with PCI DSS, but what you need to do to become compliant.

Step 5: Get an External Network Scan from an Approved Scanning Vendor

Levels one though three require a network scan from an approved scanning vendor, and it is recommended at level 4. It is required that all externally exposed Internet Protocol (IP) addresses are scanned for vulnerabilities. It is also required that you use an external approved vendor, which means performing your own scans will not make you compliant. The PCI Security Standards Council maintains a list of approved scanning vendors at www.pcisecuritystandards.org/resources/approved_scanning_vendors.htm.

At the end of the network scan, the scanning vendor is required to provide you with a report that will show you if your Internet-facing network is PCI DSS compliant. If they discover a vulnerability, they will typically point you in the right direction toward a remedy.

Step 6: Get Validation from a Qualified Security Assessor

Currently, this step is only required if you determine that you are at merchant level one and requires that you bring in an external auditor onsite to review your PCI DSS compliance. You will want to engage the assessor to help you with Step 7 below, but ongoing, this is an annual process, where all components that are a part of how your company stores, processes, and transmits cardholder data is audited. You need to work with a qualified security assessor and a list of the QSA’s, which can be found at https://www.pcisecuritystandards.org/resources/qualified_security_assessors.htm.

Step 7: Perform a Gap Analysis

After your team has gone through the questionnaire, the network scans the results and, if required, reports from your QSA prepare a document that lists out the gaps in your compliance effort. Your gap analysis document will set the stage for the creation of your compliance plan. To assist with your gap analysis, you should put together a worksheet that lists each requirement and indicates if you are compliant or not. You can also use the worksheet to initially assign the requirement to a compliance team member (see Table 10.3).

Step 8: Create PCI DSS Compliance Plan

Following the steps above, you now have the steps needed to create your PCI compliance plan. As we have discussed throughout this chapter, you should take all of these elements and bring them into your compliance plan. Your plan should include the gaps that are standing in the way of your PCI DSS compliance and what your organization plans to do to stay compliant year after year. Once all the gaps are closed, your compliance plan will be the live document that ensures you stay compliant and continue to maintain your organization’s compliance to the PCI DSS.

Step 9: Prepare for Annual Audit of Compliance Validation

In order to maintain compliance, you should start over at step one and begin the process again every year. The good news is that most of what you need to do is already complete, and you are mainly validating and auditing the fact that you are still PCI DSS compliant.

Summary

Planning a project to meet compliance can be so overwhelming that you could wind up having false starts or not begin the project at all. Your compliance efforts do not have to end this way. By putting together a good compliance project plan, you will have what it takes to make your organization PCI DSS compliant.

From the start of your project, you need to take a close look at why you need to become PCI DSS compliant. Simply figuring out if you need to comply can save you weeks of time. It is also critical that you determine what merchant level your organization is at. Based on the guidelines set forth by the PCI Security Standards Council, knowing your level will also help you justify what you need to do to be considered PCI DSS compliant. Again, if you spend the time and money to become level one compliant and you only need to comply at level four, you will have wasted time and money becoming level one compliant, which is much more time intensive and costly than becoming level four compliant. You also need to figure out what is the cost to your organization for non-compliance. Can your organization afford the risk? In all situations this answer should be no.

Once you determine that you need to be PCI compliant and cannot afford the risk of non-compliance, you need to bring all of the players to the table. You will first want to obtain corporate sponsorship and get the backing you need from senior management. The corporate sponsorship process will also help you form your compliance team. Your compliance project starts by getting your team together and beginning the planning process.

It is important that you guide your team in the right direction and help them budget their time and resources effectively. First, you need to set expectations with your team and management about what the compliance effort is all about. At this point, you can set up goals and milestones to help keep the project on a timeline and define when the project should be completed by. It is important to have status meetings with your team and with management during the process, to keep everyone informed and moving forward on the project.

As you start your compliance planning project, make sure that your team members get the correct training by providing an overview of what PCI DSS is and why your organization is going though this compliance effort. You should also train all of the employees in your company in what it takes to be and stay compliant. Setting up a corporate compliance training program will have a lasting effect on your organization, not only in keeping PCI compliant, but also keeping your workforce thinking about security at all times.

We also outlined the nine steps you should take to become PCI DSS compliant. If you go through each of these steps you will have a completed compliance effort. Knowing that you are PCI compliant will help to get rid of the fears of non-compliance by management, which in turn will help make your organization more successful.

At the end of your compliance effort, congratulate the team and encourage them to continue to help keep your organization PCI DSS compliant for as long as your company stores, processes, and transmits cardholder data.

Solutions Fast Track

How to Justify the Effort

• Make sure that you are required to comply, otherwise, you might be more secure as an organization but probably wasted a lot of time putting in measure that you were not required to do.
• Figure out what is the level of compliance your organization will have to comply at, to be sure you have all the necessary compliance requirements in place.
• Figure out what is the cost of non-compliance and whether or not your organization can justify taking on that risk.

Bringing all the Players to the Table

• First gain corporate sponsorship within your organization as your senior managers will provide you with the necessary support to get your company into compliance.
• Your compliance team will help set the pace and scope of your compliance project; therefore, the selection of the participants is vital to the success of the project.
• As you are planning your compliance plan, identify what to tackle first to get results quickly, by showing your team what it takes to get your organization compliant with PCI DSS.

Helping to Budget Time and Resources

• From the first stages of your compliance project your team and management needs to know what to expect of the compliance effort.
• Establish goals and milestones to keep your team and management on track with the compliance planning processes.
• Have status meetings with both your team and management to keep everyone moving forward on the path of compliance. These meetings will help show the progress of what has been accomplished and what is left to accomplish.

How to Inform/Train Staff on Issues

• Compliance team training will get all members on the same page about what PCI DSS compliance actually is, and why your organization is going though the effort of compliance.
• Set up a corporate compliance training program to make sure your employees understand what it takes to be PCI DSS compliant and stay compliant on an ongoing basis.
• Create a recurring annual training program for employees, to make sure they are reminded about what they need to do to keep the organization compliant.

Where to Start: The First Steps

• Step one in your compliance planning should be obtaining corporate sponsorship, which will give you the backing you need for the compliance effort.
• Depending on the merchant level you are at, perform an external network scan and/or get validation from a qualified security assessor.
• Perform a gap analysis early on in your process to determine where you are already in compliance and where you need to do work to get in compliance.

Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form.