PCI DSS v3.0 Report on Compliance (ROC) Assessment Overview Jeff Messer Director, TAAS 01/08/2015 1 Agenda 2 What / Why / Who ROC Schedule Request for Information (RFI) Process Overview Onsite Assessment Remote Assessment and Remediation Activities Draft ROC Report Quality Assurance and Draft Review Final Report Challenges from Experience Questions What / Why / Who What is a ROC? o Report on Compliance Why do we need to do a ROC? o Because you’re a Level 2 merchant you are required to have an onsite assessment performed on an annual basis. Who is involved? o Business o IT 3 ROC Schedule Period 1 - Pre-Assessment o Documentation and Preparation o Cardholder Data Environment (CDE) Review • All the People, Processes and Technologies, involved in Storing, Transmitting or Processing cardholder data (CHD). Period 2 – Assessment o ROC Process - Report on Compliance validation 4 ROC Process Flowchart 5 RFI Process - Overview The Coalfire RFI Process is intended to prepare for and facilitate a smooth PCI DSS assessment project. Successful completion of each RFI Phase is critical for meeting timeline expectations for the ROC. 6 RFI Phase 1 Phase 1 Documents o o o o o 7 Exec 1 – Business Description Exec 2 – Department Scope Identification Process Exec 3 – Dataflow Diagram(s) / Campus Scope Narrative Exec 4 – Network Diagram(s) Exec 5 – CDE Inventory Exec 1 – Business Description Non-marketing explanation of: o o o o o o 8 Lines of business (e.g. retail, ecommerce, brick-n-mortar, etc.) Operating locations Revenues Number of employees Number of IT employees Major IT contract providers. Exec 2 –Scope Identification Process Covers all of the methods and processes used to identify and document all instances of cardholder data (electronic / paper) Include any data discovery tools, manual or automated processes used to ensure that no cardholder data exists outside of the CDE. 9 Exec 3 – Dataflow Diagram(s) / Dept. Scope Narrative Describe all manners in which you accept and process payment card transactions from card data capture through settlement. Descriptions need to be accompanied with data flow diagrams that highlight the flow of CHD o Into the CDE o Throughout the CDE o Out of the CDE 10 Exec 4 – Network Diagram(s) Depicting the CDE All of the CDE boundaries How it is connected to (and/or segmented from) other networks. The diagrams should be both high-level and detailed. 11 Exec 5 – CDE Inventory CDE Inventory spreadsheet documents all in-scope systems that make up the CDE. The invent must be align with all information previously provided. Completion of this inventory is critical for scheduling and sampling purposes. 12 RFI Phase 2 Phase 2 Documents o Provide a complete “RFI Phase 2” document • Mapping your documentation to all applicable PCI DSS requirements • Identifying the Owner(s) for each and the Owner Contact(s) for each requirement. o Provide the documentation to Coalfire. o Onsite scheduling: • Interviews (Interview Schedule) • Assessments • Evident Collection 13 RFI Phase 2 Spreadsheet 14 Onsite Assessment Assess all in-scope facilities Conduct interview sessions with key personnel Perform all necessary technical validation 15 Remote Assessment & Remediation Remote Assessment o This time period is to complete any review activity that was not completed during the onsite assessments. Remediation o This time period is to validate that any issues identified during the assessment, have been addressed (i.e. remediated). 16 Draft ROC Report We begin writing the ROC report as soon as the Phase 1 documentation is collection and is complete. After all review and remediation activities have completed, the draft report will be issued. 17 Quality Assurance and Draft Review The draft report will be reviewed both by the Campus and by Coalfire’s QA process. The draft will go through iterations until it successfully completes both reviews. 18 Final Report Campus approves the content of the draft report. Final Report on Compliance (ROC) and the associated Attestation of Compliance (AOC) will be signed and issued. 19 Challenges from Experience Take this seriously, you don’t want to be a headline. Most merchants overestimate their level of control and underestimate the scope of their environment. Read the PCI DSS v3.0 to ensure you understand the requirements. Think out of the box, don’t assume you know your scope, take time to validate it. Surprises found during the penetration testing and vulnerability scanning Remediation always takes longer than you think. 20 Questions? 21