A Framework for PCI DSS 2.0 Compliance Assessment and RemediationBy methodically identifying and remediating IT security gaps, companies can quickly and cost-effectively comply with the Payment Card Industry Data Security Standard.

Executive SummaryThe Payment Card Industry Data Security Standard (PCI DSS) 2.01 is an information security standard for any company that handles cardholder infor-mation for the major credit card providers. The five global payment brands — American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. — incorpo-rate the PCI DSS 2.0 in each of their data security compliance programs. As such, any company that stores, processes or transmits cardholder data is required to comply with these requirements. Each merchant or payment card processor company is required to submit an annual compliance report to its merchant bank.

This white paper focuses on three key aspects of PCI DSS 2.0 compliance. First, it provides a brief background on PCI DSS 2.0 and our framework for PCI DSS 2.0 assessment and remediation services. Second, it discusses a set of issues seen by companies seeking PCI DSS 2.0 compliance. Third, it describes how we help address these PCI DSS 2.0 compliance issues. This paper concludes with a case study that shows how we applied our framework in an engagement with a leading North American retailer to quickly and cost-effec-tively achieve PCI DSS 2.0 compliance.

Our PCI Compliance ApproachPCI security for merchants and payment card processors is the vital result of information security best practices contained in the PCI DSS. The standard includes 12 requirements for any business that stores, processes or transmits cardholder data. These requirements specify the framework for a secure payments environment; for the purposes of PCI compliance, their essence is three steps: assess, remediate and report (see Appendix).

Our approach to PCI compliance includes two phases, the assessment phase and the remedia-tion phase.2 Each phase can be executed inde-pendently of the other and is then followed by reporting.

Assessment Phase

In the assessment phase we typically work a 10- to 12-week session, where the usual activities include:

• Data gathering (typically three weeks).

• Current state assessment (typically two weeks).

• Gap assessments (typically three weeks).

• Future state roadmap (typically two weeks).

The duration of the assessment phase can differ

• Cognizant 20-20 Insights

cognizant 20-20 insights | february 2013

cognizant 20-20 insights 2

based on the size of the client infrastructure — the number of devices in the cardholder data environ-ment. Figure 1 shows an example for constructing an assessment-phase plan.

PCI DSS is based on technical and operational requirements related to 12 different areas; data gathering is performed across six conceptual areas, covering the following:

• Network infrastructure.

• Encryption and data protection.

• Vulnerability management.

• Access control.

• Network monitoring.

• Security policies management.

Data gathered is then assessed for gaps across each of these six areas. The gaps in the current “as is” state are then categorized as high, medium and low in each area relative to the goal of achieving PCI DSS 2.0 compliance. The final deliverable includes a roadmap for remediating the discovered gaps in order to achieve “future” state PCI DSS 2.0 compliance for the cardholder data environment. The deliverables at this phase include, but are not limited to:

• Network inventory.

• Software inventory.

• Current state network diagram of the cardholder data environment.

• Inventory of tools and utilities identified.

• Current state policies.

• Gap assessment matrix of PCI controls.

• Best practices followed (if applicable).

• Future state roadmap.

Remediation Phase

During the remediation phase, our team evalu-ates the effort based on the gaps and the roadmap delivered during the assessment phase. Implementation duration depends on gaps found during the assessment phase. Typical activities during this phase include:

• Planning (typically, four to six weeks).

• Designing (eight to 10 weeks).

• Building (12 to 15 weeks).

• Verifying (14 to 16 weeks).

• Deploying (varies).

• Reassessing for report on compliance (ROC) (eight to 10 weeks).

The reassessment (which includes any final reme-diation as needed) is conducted in conjunction with a (QSA approved) third-party assessor to gain a report of compliance. Figure 2 illustrates a remediation-phase plan.

During the planning phase, there are multiple workshops held with a core group of personnel that will include both company resources as well as our consultants.

Overcoming Compliance IssuesThere are many PCI DSS 2.0 compliance hurdles for companies that store, process and transmit credit card information in their processing envi-ronments. Among these, the most critical issues faced include:

• Incomplete awareness of the environment, and not understanding what is, and what is not, part of the credit card data environment (i.e., the target environment for compliance).

1 2 3 4 5 6 7 8 9 10 11

3 Weeks

2 Weeks

3 Weeks

2 Weeks

Week Number

Data Gathering

Current State Assessment

Gap Assessment

Roadmap to Future State

Figure 1

Assessment Phase Planning

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46Week Number

Plan

Design

Build

Verify

Deploy

Reassess for ROC

4-6 Weeks

8-10 Weeks

12-15 Weeks

14-16 Weeks

Varies

10 Weeks

Figure 2

Remediation Phase Planning

cognizant 20-20 insights 3

• Unavailability of skilled personnel required to both understand and maintain the security of the credit card data environment.

• No experience executing activities required, either in first time PCI DSS compliance or, once PCI DSS compliant, in maintaining compliance over the next cycle of compliance.

• Lack of both awareness of industry best practices and experience with relevant tools available that fit the requirements for the company’s environment.

In our experience, we have found that companies end up investing in the wrong tools and wrong areas, and have no strategic direction when architecting solutions, due to a lack of awareness of the target environment or not having the skilled personnel to make key strategic security decisions. These shortcomings leave the target environment vulnerable, which has a direct impact on the business and the company’s liabilities.

PCI DSS Compliance Services BenefitsWe use a hybrid model of both offshore and on-site consultants to deliver the best value for the money spent on a PCI DSS 2.0 compliance program. We deploy a pool of experienced subject matter experts across various areas of technology and business environments to ensure program success.

To execute a PCI compliance program, we provide tools that help all along its entire lifecycle, from planning, to design and build, to testing and through validation.

The key benefits of our PCI compliance framework include:

• The client gains awareness of its credit card data environment, and can apply our recom-mendations and best practices to achieve and keep the environment secure and up-to-date.

• Our structured, efficient and practical opera-tional implementation of tools and inter-work-ings can be applied across multi-organizational design dimensions in ways that are scalable and extensible.

• Whether it’s a first-time implementation or a project to maintain PCI compliance, the process is painless, as a result of our precision planning and program management expertise throughout the engagement.

• Implementation benefits result in best-in-class, cost-effective and easy maintainability of PCI DSS compliance.

• On-the-job, environment-relevant training enables organizations to best fit personnel to function.

• Our large pool of experienced consultants across various industry verticals have experi-ence utilizing technology to enable and protect the client’s business.

• Program management capabilities for smoothly managing complex compliance programs.

PCI DSS 2.0 Compliance Work in ActionWe were recently engaged by a leading North American retailer to help remediate its credit card data environment. We delivered the following services:

• Program management for the PCI remediation program.

• Delivery of security tools from design and install to operations.

• Design and architectural expertise across the client’s infrastructure.

• Remediation of all findings during the PCI assessment for ROC activities.

The entire engagement was delivered in 11 months using a team of 21 professionals working with the client’s 75-plus resources and another 35 vendors. We implemented more than 25 tools and services.

Several hurdles were overcome during the reme-diation program. One key challenge was a late scope change from PCI DSS 1.2 compliance to PCI DSS 2.0 compliance. The program not only addressed gaps implementing 290 PCI controls, but also incorporated the scope change working closely with the client. The program was delivered on time, and with significant cost savings to the client. Figure 3 (next page) shows the extent of work accomplished.

Post-remediation, a QSA vendor assessed project performance to create an ROC. Figure 4 (on page 5) illustrates a progress card created each week in pursuit of ROC readiness.

Figure 5 (on page 5) shows how a tracker is used to reveal readiness to attain an ROC.

cognizant 20-20 insights 4

Figure 3

PCI Remediation System, Device and Process Impacts

Figure 6 (on page 6) highlights program tracking across the key conceptual areas within our framework, covering each of the 12 requirements defined by PCI DSS.

The client was pleased with the results, noting that the engagement used realistic and achievable timelines where milestones, deliverables and resources were continuously fine-tuned to keep key activities on track. In fact, the CIO later told us: “We were on schedule and under budget by $500K. It was an amazing achievement for the entire team.”

AppendixPCI Background3

“Assess” is to take an inventory of your IT assets and business processes for payment card processing and analyze them for vulner-abilities that could expose cardholder data. “Remediate” is the process of fixing those vul-nerabilities. “Report” entails compiling records required by PCI DSS to validate remediation and submit compliance reports to the acquiring bank

and global payment brands. Carrying out these three steps is an ongoing process for continuous compliance with the PCI DSS requirements. These steps also enable vigilant assurance of payment card data safety.

PCI DSS 2.0 Requirements

PCI DSS version 2.0 is the global data security standard that any business of any size must follow to accept payment cards, and to store, process and/or transmit cardholder data. It presents common-sense steps that mirror best security practices.

Step 1: Assess

• The primary goal of assessment is to identify all technology and process vulnerabilities that pose risks to the security of cardholder data that is transmitted, processed or stored. Study the PCI DSS for detailed requirements. It describes IT infrastructure and processes that access the payment account infrastructure. Determine how cardholder data flows from beginning to end of the transaction process,

Program Accomplishments

PCI 1

.2.1

&� 2

.0 C

ompl

ianc

eTools Programs

Number of Newly Implemented 12 Number of

Modified 1 Number of Phased Out 2 Number of Newly

Implemented 3 Number of Modified 5 Number of

Phased Out 2

ProcessesNumber of Newly Created Process Flows

30Number of Modified Process Flows

3Number of Phased Out Process Flows 4

Number of Project Management Processes Followed

8Number of Proj Templates Created & Used

7N/A

SystemsNumber of Applications Touched

8Number of Servers Touched 40

Number of Operating Systems & DBs Touched

9Number of POS Devices Touched 1,071

Number of Desktops Touched

1,418Number of Laptops Touched

300

Number of Client Proprietary Systems Touched

97Number of JBM Machines Touched

850Number of WCSs Touched 1

Number of Jump Boxes Touched 4

N/A N/A

Network DevicesNumber of Routers Touched 1,039

Number of SwitchesTouched 3

Number of Wireless Access Points Touched 89

Number of WLCs Touched 2

Number of Firewalls Touched 6

Number of Content Switches Touched

2

Number of Modems Touched 1,200

Number of VPN Concentrators Touched

2Number of Devices - NTP Configuration 1,320

N/A N/A N/A

Policy, Procedures, StandardsNumber of Policies Created 11

Number of Policies Modified 2

Number of Procedures Created

21Number of Procedures Modified

0Number of Policies Phased out

1Number of Standards Created

31

OthersNumber of Stores Touched 1,824

Number of Runbooks Created 10

Number of User Accounts Cleaned 37,000

Number of New Service Implemen-tations 7

Number of Service Imple-mentations - Modifications

1

Number of VA & PenTest Remediations Performed

(149, 6)

Number of Business Justifications Docs Created 3

Number of People taken Security Awareness Training

885

Number of RFCs Created 282

Number of Anti-Virus Upgrades 1,718

Numberof Critical Security Patches Applied

300 devices

Number of Stores - Hardware Encryption

1,110

Number of Stores – MPLS to Broadband Conversion

16Number of New Vendor Contracts Created

1Number of Vendor Contracts – Modified

8Number Scope Reduction Work Streams

7Number Scope Increase Activities

4N/A

cognizant 20-20 insights 5

Figure 4

PCI Controls: Weekly Progress

45 58 68

100

130145

172180

205212

229

247

29

60 73 75

16

7444 40

24 22 130

18 19 20 22

39 42 41 41 41 43 43 43

154

109

85

49

105

29 33 29 20 13 5 00

50

100

150

200

250

300

3/27 4/13 4/20 4/26 5/2 5/4 5/7 5/9 5/11 5/15 5/18 5/22

Nu

mb

er o

f P

CI C

on

tro

ls

InPlace

Assessments

N/A

In-progress

including PCs and laptops that access critical systems and storage mechanisms for paper receipts, etc. Check the versions of personal identification number (PIN) entry terminals and software applications used for payment card transactions and processing to ensure they have passed PCI compliance validation.

Note: Your liability for PCI compliance also extends to third parties involved with your process flow; therefore, your organization must also confirm that partner processes are compliant. Comprehensive assessment is a vital part of understanding what elements may be vulnerable to security exploitations and where to direct remediation.

• Self-assessment questionnaire (SAQ): The SAQ is a validation tool for merchants and service providers that are not required to do on-site assessments for PCI DSS compliance. Four SAQs are specified for various situations.

• Qualified assessors: The PCI Security Standards Council (PCI SSC) provides programs for two kinds of independent experts to help with your PCI assessment: Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV). QSAs have trained personnel and processes to assess and prove compliance with the PCI DSS. ASVs provide commercial software tools to perform vulnerability scans for your systems. Visit https://www.pcise-curitystandards.org/approved_companies_providers/index.php for details and links to qualified assessors.

Figure 5

Tracking PCI Readiness for ROC Status

1

23

6

10

1

2

4

25

23

11

3

6

32

7

22

28

28

22

40

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Comp Control (4)

Req1 (25)

Req2 (24)

Req3 (34)

Req4 (9)

Req5 (6)

Req6 (32)

Req7 (7)

Req8 (32)

Req9 (28)

Req10 (29)

Req11 (24)

Req12 (40)

N/A

In-place

In-progress

Not-started

cognizant 20-20 insights 6

90% 98% 100% -2%

Project Name Start End%

Status 2/20 2/27 3/5 3/12 3/19 3/26 4/2 4/9 4/16 4/23

Scope Reductions Proj # Owner 78% 98% 100% -2%Scope Reduction Activity A Joyce A J 6/1 10/3 100% 100% 100% - CompletedScope Reduction Activity B Michael A 6/1 7/31 100% 100% 100% - CompletedScope Reduction Activity C John G 1/9 3/17 100% 100% 100% - CompletedScope Reduction Activity D John G 2/27 3/19 13% 99% 100% -1% In Progress

Network Infrastructure 1.1 99% 99% 100% -1%Firewall Configuration / Routers 1.1.1 Anna P 9/6 3/15 96% 99% 100% -1% In ProgressVendor Defaults 1.1.2 John G 7/13 11/15 - - - - CompletedSystem Configurations 1.1.3 John G 8/8 11/15 - - - - CompletedPassword Encryption 1.1.4 Pam A 7/13 10/12 - - - - Completed

Encryption and Data Protection 1.2 94% 99% 100% -1%Data Storage and Retention 1.2.1 John G / Anna P 10/19 4/6 92% 99% 100% -1% In ProgressData Transmission 1.2.2 John G / Anna P 11/8 3/28 92% 99% 100% -1% In ProgressEncryption of Keys (PIN, PAN) 1.2.3 John G / Anna P 10/3 4/2 90% 99% 100% -1% In ProgressData Protection 1.2.4 Pam A 8/19 3/28 98% 100% 100% - Completed

Vulnerability Management 1.3 95% 99% 100% -1%Anti-virus 1.3.1 Pam A 7/18 4/3 95% 98% 100% -2% In ProgressPatch Management 1.3.2 Pam A 7/25 4/5 97% 99% 100% -1% In ProgressVulnerability Management 1.3.3 Anna P 10/3 4/6 93% 99% 100% -1% In ProgressSoftware Life Cycle Management 1.3.4 Pam A 6/1 4/6 92% 99% 100% -1% In ProgressWeb Application Firewalls 1.3.5 John G 9/19 2/3 99% 99% 100% -1% In Progress

Access Control 1.4 77% 99% 100% -1%Access Control 1.4.1 Anna P 9/1 3/28 99% 99% 100% -1% In ProgressTwo Factor Authentication 1.4.2 Anna P 9/28 3/31 71% 99% 100% -1% In ProgressRADIUS 1.4.3 Pam A 28/E920 3/31 71% 99% 100% -1% In ProgressPassword Management 1.4.4 John G / Pam A 9/28 3/31 71% 75% 85% -10% In ProgressFacility Management 1.4.5 Peter K 9/28 3/31 71% 75% 85% -10% In ProgressPhysical User Access 1.4.6 Peter K 9/28 3/31 71% 75% 90% -15% In ProgressStorage Media 1.4.7 Peter K 9/28 3/31 71% 75% 90% -15% In Progress

Network Monitoring 1.5 62% 87% 100% -13%Audit Logging 1.5.1 Anna P 10/12 4/15 82% 94% 100% -6% In ProgressTime Synchronization (NTP) 1.5.2 Pam A 9/30 4/10 98% 99% 100% -1% In ProgressWireless Access Monitoring 1.5.3 John G / Pam A 10/19 4/20 79% 90% 100% -10% In ProgressInternal / External Vulnerability Scanning 1.5.4 Peter K 12/15 4/10 75% 90% 100% -10% In ProgressInternal / External Penetration 1.5.5 Peter K 2/27 4/10 76% 83% 100% -17% In ProgressIntrusion Detection 1.5.6 Pam A 10/11 4/10 69% 99% 100% -1% In ProgressFile Integrity Monitoring 1.5.7 John G 10/11 4/7 69% 99% 100% -1% In Progress

Securities Policies Management 1.6 62% 87% 100% -13%Security Policy 1.6.1 Pam A 10/19 4/5 49% 100% 100% 0% CompletedUse Policy 1.6.2 Peter K 10/7 12/5 - - 100% CompletedInformation Security Policy 1.6.3 Peter K 10/7 12/5 - - 100% CompletedSecurity Awareness 1.6.4 Peter K 10/7 12/5 - - 100% CompletedHR Policy 1.6.5 Peter K 10/7 12/5 - - 100% CompletedVendor Policies 1.6.6 Mike A 10/7 12/5 - - 100% CompletedIncident Response Planning 1.6.7 Mike A 11/7 1/27 - - 100% Completed

In Progress

At Risk

Not Started

Late

11-Mar-11 PCI Remediation: Project Timeline DashboardFeb Mar Apr

In Progress (Variance <10%)

At Risk (Variance 10-19%)

Late (Variance >19%)

Completed

On-hold

Not Started

2/29

Tasks%

Tasks%

Tasks%Var

3/11 Current Plan Variance

Illustrative Workstream Tracking Across Six PCI DSS Conceptual Areas

Figure 6

Step 2: Remediate

Remediation is the process of fixing vulnerabili-ties — including technical flaws in software code or unsafe practices in how an organization processes or stores cardholder data. Steps include:

• Scanning your network with software tools that analyze infrastructure and spot known vulner-abilities.

• Reviewing and remediating vulnerabilities found in on-site assessment (if applicable) or through the self-assessment questionnaire process.

• Classifying and ranking the vulnerabilities to help prioritize the order of remediation, from most serious to least serious.

• Applying patches, fixes, work-arounds and changes to unsafe processes and workflows.

• Re-scanning to verify that remediation actually occurred.

Step 3: Report

Regular reports are required for PCI compliance; these are submitted to the acquiring bank and global payment brands that you do business with. The PCI SSC is not responsible for PCI compliance. All merchants and processors must submit a quarterly scan report, which must be completed by a PCI SSC-approved ASV. Businesses with large flows must conduct an annual on-site assessment completed by a PCI SSC-approved QSA and submit the findings to each acquirer. Businesses with small transaction flows may be required to submit an annual attestation within the self-assessment questionnaire. For more details, talk to your acquirer.

About CognizantCognizant (NASDAQ: CTSH) is a leading provider of information technology, consulting, and business process out-sourcing services, dedicated to helping the world’s leading companies build stronger businesses. Headquartered in Teaneck, New Jersey (U.S.), Cognizant combines a passion for client satisfaction, technology innovation, deep industry and business process expertise, and a global, collaborative workforce that embodies the future of work. With over 50 delivery centers worldwide and approximately 156,700 employees as of December 31, 2012, Cognizant is a member of the NASDAQ-100, the S&P 500, the Forbes Global 2000, and the Fortune 500 and is ranked among the top performing and fastest growing companies in the world. Visit us online at www.cognizant.com or follow us on Twitter: Cognizant.

World Headquarters500 Frank W. Burr Blvd.Teaneck, NJ 07666 USAPhone: +1 201 801 0233Fax: +1 201 801 0243Toll Free: +1 888 937 3277Email: inquiry@cognizant.com

European Headquarters1 Kingdom StreetPaddington CentralLondon W2 6BDPhone: +44 (0) 20 7297 7600Fax: +44 (0) 20 7121 0102Email: infouk@cognizant.com

India Operations Headquarters#5/535, Old Mahabalipuram RoadOkkiyam Pettai, ThoraipakkamChennai, 600 096 IndiaPhone: +91 (0) 44 4209 6000Fax: +91 (0) 44 4209 6060Email: inquiryindia@cognizant.com

© Copyright 2013, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is subject to change without notice. All other trademarks mentioned herein are the property of their respective owners.

About the AuthorVibha Tyagi is a Principal Consultant within Cognizant’s IT Infrastructure Services Program Management Practice. She is responsible for executing multimillion-dollar, large and complex infrastructure programs, and has spent 19-plus years working with companies across the consumer goods, retail, telecommunications, energy and financial services industries. Vibha received a master’s degree in electrical engineering and an M.B.A. from the University of Chicago’s Booth Graduate School of Business. She can be reached at Vibha.Tyagi@cognizant.com | Twitter: @VibhaTyagi2 | LinkedIn: http://www.linkedin.com/pub/vibha-tyagi/0/794/8b6.

Footnotes1 PCI DSS is a standard developed by the PCI Security Standards Council, which is an open global forum;

to read related documents, see: https://www.pcisecuritystandards.org/security_standards/documents.php?association=PCI-DSS.

2 The time for each of the phases varies, based on the client’s infrastructure footprint and current state of IT processes.

3 This material was extracted from the PCI Security Standards Council; for more information on the council, visit its Web site: https://www.pcisecuritystandards.org/index.php.