How To

PCI Level 1 Tips

PCI Level 1 Certification – 5 Tips to Pass On Your First Attempt

PCI Level 1 compliance is required of any system processing more than 6 million card transactions annually, any system with a previous security breach, and anyone VISA/MC chooses to add. 85% of IT teams fail to pass PCI level 1 compliance on their first attempt. Time is usually ridiculously short and the teams are frustrated by any number of faults left by previous developers. If you require PCI Level 1 you probably already know you need to start with a Security Services Provider. We used ControlScan and were quite satisfied. This article share our tips for success at PCI Level 1 certification.

Back in 2015 E7 Systems had the responsibility to achieve PCI level 1 compliance for an operational system doing 10,000 transactions a day. The system as we found it was not compliant. Three months and 415 billed hours later, our client had their certificate and was free to continue operating. Here’s how we passed on our first try.

If you are running a PCI level 1 system from your office data center, you had better be Amazon. If you are not Amazon, then host with Amazon Web Services. AWS has the highest up-time and they provide you with an attestation of PCI Level 1 compliance for their facilities and hardware, thus reducing your scope.

Scope is king. Move everything you can away from your account holder data. Every system that handles cardholder data in in scope. Every system or developer’s PC that touches an in-scope system is itself in scope. Therefore you cannot access PCI Level 1 servers from your laptop at an airport. You must establish secure “bastion” machines to keep your PC out of scope.

When faced with a daunting task, don’t dive in. Look for a way around. Since we only had 90 days, we were forced to be creative. For example, some of our developers worked from home offices. There was NO practical way to get their facilities certified PCI Level 1 compliant. Our solution was to have the developers move to cloud based workstations on AWS where we had certified facilities compliance and we could easily manage antivirus and software updates.

Engage your Qualified Security Analyst (auditor) as a constructive partner in finding the creative solutions you need to pass. We managed a network of ATMs. Many of them still ran on XP. After a day of back and forth with the QSA, we were able to remove them from scope as they were technically owned by the venues where they resided. Be persistent, respect the QSA’s expertise, and you will find a valuable partner.

Dedicate at least 3 people to your PCI project. Our first try for PCI Level 1 required us to make major architectural changes to the system and its security. We had to upgrade operating systems, certificates, add log aggregation, automated alerts & audit trails, policies and procedures, and we had to meticulously document everything. So you should dedicate 3 types of people a big picture/negotiation lead, a tech guru (or two) and an amazing security librarian keep everyone on track & prove it got done.

Finally, know that PCI level 1 only protects cardholder data. PCI Level 1 compliance is not a realistic security policy. Other kinds of personal financial data are more attractive to hackers and much harder to clean up than getting a new credit card. Be certain to protect all of your customer’s data with the same energy you put into PCI Level 1 Certification.

Read More
Project Rescue Professionals

Software Project Rescue Depends on Process

Project Rescue Process:

Do you know anyone with an overdue software project? Perhaps they have spent their entire budget and more. The deadline is right around the corner, but still no working software. Distressed or failed projects are all too common. ZDNet reports that 2 out of 3 of IT projects fail.

E7 Systems is frequently called upon for project rescue. One E7 client had spent over 2 million dollars and still did not have a reliable system, until they called us. About half the projects we take are project rescues. With the help of an amazing team, we have delivered on every one of these.

Our proven process for project rescue is based on this 5 step program to rescue a failing hardware or software project.

1. Review the Scope
The number one reason projects fail is that requirements were poorly understood by client and developer. We validate the functional requirements before we begin to ensure no work is wasted. We also review requirements driving the deadline. Frequently we can buy more time for the project by satisfying the needs behind the original deadline. Finally we always review the scope vs. budget. Since most of the original budget may already be spent, it is crucial to review what we are trying to accomplish and at what investment. Reaching shared understanding and consensus on the scope is essential to all the work that follows.

2. Address Risk with Spikes
Spikes are essential to project rescue. We don’t have a moment to lose. So it is essential to know that any roadblock are encountered and dealt with early. A spike delivers just enough code to prove that the unproven algorithm or hardware component or external system can be connected to and integrated. When roadblocks are encountered early we have maximum leeway to solve the issue. Spikes normally take about 3 man days per risk item, a sound investment on any serious project.

3. Build Roadmap Consensus
Concurrent with the spikes, we detail the deliverables for the project in terms of tasks which should take no more than 2 days. This roadmap should communicate to both the client and developers and is the basis for future project management and execution. All billing should refer to roadmap items. No item should be so large as to allow it to get bogged down without being noticed.

4. Develop with Agile
Project rescues absolutely require agile development. Recovering a project in trouble presents all the risks (schedule, requirements, communication) that agile was designed to solve. Working in 2 week sprints, we make frequent deliveries and demonstrations to elicit customer feedback. This ensures that we stay on track and reserve well informed customer expectations.

5. Release Frequently to Production
Frequent releases will accelerate your return on investment. More importantly, frequent production releases are the only way to get 100% validation on requirements. In many industries, like restaurants, the only way to determine the suitability of a system is in the heat of battle. Until a server has survived a busy happy hour with their new PoS, all requirements are just educated guesses.

Project rescues have massive challenges: super tight deadlines, suspect requirements. Perfect planning is impossible. We strive to communicate and create a shared understanding of goals and challenges. Our frequent demos and releases help restore our client’s faith in developers. Above all, we employ the above principals, to aggressively drive risk and waste out of the effort.

We have helped to create over one hundreds of million dollars in enterprise value through project rescue. Please don’t slide  even one more day.  To see how we can help your distressed project, please contact E7 Systems today.

Read More