PCI Level 1 compliance is required of any system processing more than 6 million card transactions annually, any system with a previous security breach, and anyone VISA/MC chooses to add. 85% of IT teams fail to pass PCI level 1 compliance on their first attempt. Time is usually ridiculously short and the teams are frustrated by any number of faults left by previous developers. If you require PCI Level 1 you probably already know you need to start with a Security Services Provider. We used ControlScan and were quite satisfied. This article share our tips for success at PCI Level 1 certification.
Back in 2015 E7 Systems had the responsibility to achieve PCI level 1 compliance for an operational system doing 10,000 transactions a day. The system as we found it was not compliant. Three months and 415 billed hours later, our client had their certificate and was free to continue operating. Here’s how we passed on our first try.
If you are running a PCI level 1 system from your office data center, you had better be Amazon. If you are not Amazon, then host with Amazon Web Services. AWS has the highest up-time and they provide you with an attestation of PCI Level 1 compliance for their facilities and hardware, thus reducing your scope.
Scope is king. Move everything you can away from your account holder data. Every system that handles cardholder data in in scope. Every system or developer’s PC that touches an in-scope system is itself in scope. Therefore you cannot access PCI Level 1 servers from your laptop at an airport. You must establish secure “bastion” machines to keep your PC out of scope.
When faced with a daunting task, don’t dive in. Look for a way around. Since we only had 90 days, we were forced to be creative. For example, some of our developers worked from home offices. There was NO practical way to get their facilities certified PCI Level 1 compliant. Our solution was to have the developers move to cloud based workstations on AWS where we had certified facilities compliance and we could easily manage antivirus and software updates.
Engage your Qualified Security Analyst (auditor) as a constructive partner in finding the creative solutions you need to pass. We managed a network of ATMs. Many of them still ran on XP. After a day of back and forth with the QSA, we were able to remove them from scope as they were technically owned by the venues where they resided. Be persistent, respect the QSA’s expertise, and you will find a valuable partner.
Dedicate at least 3 people to your PCI project. Our first try for PCI Level 1 required us to make major architectural changes to the system and its security. We had to upgrade operating systems, certificates, add log aggregation, automated alerts & audit trails, policies and procedures, and we had to meticulously document everything. So you should dedicate 3 types of people a big picture/negotiation lead, a tech guru (or two) and an amazing security librarian keep everyone on track & prove it got done.
Finally, know that PCI level 1 only protects cardholder data. PCI Level 1 compliance is not a realistic security policy. Other kinds of personal financial data are more attractive to hackers and much harder to clean up than getting a new credit card. Be certain to protect all of your customer’s data with the same energy you put into PCI Level 1 Certification.