Your company is required to have a full Payment Card Industry (PCI) Qualified Security Assessor (QSA) Onsite Assessment that will produce a Report on Compliance (RoC) for you to provide to your acquirer. Maybe you’re a Level 1 merchant, maybe you’ve been classified as a high risk merchant due to transaction size, maybe you’ve had a previous breach, or maybe you’re just a service provider that is trying to be proactive. Whatever the case may be, you are about to undergo an annual QSA Onsite Assessment.
Regardless of whether it’s your first time or your fifth time, these engagements can be nerve-racking as you’ve got to open your doors and invite an assessor in to go through your entire PCI environment, in detail. There’s nowhere for the skeletons in the closet to hide because this assessment is going to not only involve asking you questions about your processes, but it also goes a step further and requires you prove it, validating that the supposed security controls are in place and effective.
To help you prepare for this process and hopefully make it run more smoothly for everyone involved, we’ve put together a cheat sheet for you to run through prior to a QSA onsite assessment beginning. This list is not exhaustive and is presented in no particular order. It simply contains a lot of the things we’ve seen organizations miss or struggle with in the past with the hopes of helping ease your stress if you know what to expect for these assessments.
Double check your scope and the associated documentation. This should include all your asset inventories, physical location lists, network diagrams, etc. These artifacts drive the rest of the assessment and will be used to determine sampling groups for control validation. If your assessor finds something that should be in-scope but it isn’t included in this documentation, there’s likely going to be some extra scrutiny and you’re probably going to have a bad day.
Gather up all of the required policy/procedure documentation well ahead of the actual assessment. Once you’ve got everything in one place and are ready to provide it to your assessor, double check that all of this documentation is up-to-date, has been reviewed/updated/approved within the past calendar year, accurately reflects your current processes, and meets all applicable PCI requirements. It’s always a good idea to match up your policies with the actual PCI DSS requirements at least once, also, since this is basically what an assessor will be looking to check off when filling out the ROC.
Make sure hardening has been performed on all in-scope hosts, servers, and devices. Start looking through in-scope systems and make sure your published hardening standard has been applied to all these systems, the right GPOs are being applied, the latest patches have been applied, etc. Don’t forget your network devices too! This is a great opportunity to double-check that no systems have missed the hardening process and no accidental misconfigurations have been introduced over time, such as cleartext authentication or default credentials.
4. Security Controls
Besides hardening, you want to make sure all your ancillary security controls are applied and active for all in-scope systems. This includes your antivirus solution (for Windows workstations/servers), centralized logging system (SIEM), file integrity monitoring (FIM) solution, host-based IDS/IPS, etc. Anything that you are using to meet PCI requirements needs to be installed, active, and properly configured on any systems an assessor may want to validate.
5. Security Testing Results
Gather the results of all your required security testing for PCI purposes. This should be your quarterly vulnerability scan results and any re-scans, your annual penetration testing results (both internal and external) and any retesting results, your semiannual segmentation validation (if required), your web application assessment results for in-scope, custom-developed applications (if you don’t have a web application firewall in place), and the results of your quarterly rogue wireless access point checks.
6. CHD Storage
You should always be on the lookout for any accidentally stored cardholder data (CHD) or CHD stored outside of approved locations within your network (or physically within the organization). But it’s especially important if you want to avoid any surprises during a PCI QSA onsite assessment. The quickest way to fail an onsite assessment is the presence of electronic CHD storage when there’s not supposed to be any, the storage of CHD outside of approved locations that unintentionally expands your scope, or the storage of sensitive authentication data (SAD), which is never permitted.
7. Physical Security
Perform your own physical security walk-through prior to your onsite assessment. Check that all your physical security controls are in place during this time, such as visitor logs, visitor badges, etc. Additionally, look for dangerous habits or breaches of security, like propping a datacenter door open for a long time, unescorted visitors around the premises, and visitors permitted entry without badges. Finally, take some time to prep the personnel who are the front lines of your physical security. This should include your front office secretaries, your security guards, your datacenter admins, any relevant employees, etc. It never hurts to remind everyone of the security controls you have in place to meet PCI and the importance/relevance of these controls.
8. Employee Training
Provide some refresher training for employees. Talk to your employees (especially the ones most likely to be in front of the QSA performing your assessment) and prep them for this interaction. Remind them of the security awareness training they undergo, where the relevant policies/procedures live, what their responsibilities are when it comes to compliance, etc. This will help make the QSA onsite assessment go more smoothly and could even result in less scrutiny from the assessor if they perform well during interviews.
9. Accounts, Groups, and Permissions
Take some time to review accounts, groups, and permissions related to your PCI environment. You always want to adhere to the principle of least privilege from a security perspective. But this is a great time to check on your provisioned accounts to make sure there aren’t any inactive accounts that haven’t been disabled/removed, there are no generic/shared accounts present in Active Directory, or unnecessary members in administrative groups. Make sure the least number of people possible have access to CHD.
10. Change Tracking
Verify your change control documentation and tracking system is up-to-date and meets all PCI compliance requirements. This applies to network changes, firewall/router changes, and any custom development efforts. You want to be sure that you’re tracking all changes with an adequate level of documentation, those change requests are being reviewed/approved, and the changes match what’s actually happening in your environment.