With global companies outsourcing payment card industry (PCI) processes to India, the country’s information security paradigms may be shifting to meet international standards. However, since PCI Data Security Standard (DSS) compliance is a relatively new development in India, it would be prudent to evaluate how it is actually addressed. This tip highlights important considerations to be kept in mind while forging an outsourcing relationship with a PCI DSS compliant Indian service provider.
Step 1: Analyze the service provider
Before outsourcing services, it is important to evaluate the service provider’s financial stability, offerings, customer references, industry experience, and other such details. It is a standard due diligence practice to verify the service provider’s financial records for up to three years.
Technical expertise may be evaluated on the basis of previous projects, used platforms, and associated manpower. Competence can be validated through on-site assessments of followed practices or live monitoring using virtual environments. For verification of PCI DSS compliance and its scope, review Attestation of Compliance and Report on Compliance. These documents are main deliverables of the PCI DSS compliance exercise.
Step 2: Ensure PCI DSS compliance
Compliance and security are different parameters in India. While certain companies take security very seriously, others simply try to meet PCI DSS compliance’s minimum mandatory requirements. A continuous validation and remediation process is vital, as is designated manpower to maintain security.
The PCI council mandates annual PCI DSS compliance audits. Under PCI DSS compliance requirement 12.8, outsourcing entities should regularly monitor their service provider’s compliance. You can ensure a service provider’s PCI DSS compliance levels using the following steps:
- Conduct surprise audits and regular validation. Do frequent random audits initially until the operation stabilizes. Constant monitoring can locate problem areas, which can be appropriately addressed.
- The service provider’s information security policy and approach to security are particularly relevant for effective PCI DSS compliance. The focus should be on effective management of existing resources, rather than adding new variables.
- The definition of scope is an important aspect of PCI DSS compliance. Scope refers to the extent to which a service provider falls within the compliance guidelines. For example, a service provider may be PCI DSS compliant at one of its operations, and not others. The best approach is to segregate the PCI environment from the rest of the network and ensure implementation of your designated PCI controls. Reducing scope through network segmentation lessens exposure and the possibility of internal fraud. Segmentation also enables you to scope out network areas not dealing with PCI data. This makes PCI DSS compliance cheaper to maintain by reducing security overheads, as well as makes it easier to respond to incidents.
- Ascertain implementation of strong access control measures. Access to cardholder data should be restricted by business need-to-know. This is the toughest part of achieving PCI DSS compliance. In an outsourcing relationship, access control should be defined by the outsourcer. Practices such as role-based access control on the principle of least privilege are robust for securing sensitive information. It is mandated that access be based on white-lists, denying all other access requests.
- Under PCI DSS compliance requirement 11.2, external vulnerability scans must be conducted by an approved scanning vendor (ASV) every quarter. The service provider may have an environment with public facing IPs, or on certain cases [such as access through multi-protocol label switching (MPLS) environments and end-to-end connectivity], it may have none. An ASV audit will only be applicable in the former. It is recommended that virtual private networks be used even with MPLS environments, since the transmissions are not encrypted.
Step 3: Clearly mention project prerequisites
It’s essential to define project requirements in the service level agreement. Needs like network segmentation, redundancy in terms of data/security, load balancers, and servers should be explicitly defined by the client. At present, most Indian service providers do not provide redundancy and segmentation as basic services.
Since PCI DSS compliance does not mandate redundancy, such needs must be defined by the outsourcer. For instance, companies requiring high data availability may request 100% redundancy. Similarly, you should explicitly define segmentation requirements.
Restriction of physical access to cardholder data storage locations is another aspect. It is a common practice to use physical swipe cards with unique IDs, defining user-access privileges. These may be used in conjunction with closed-circuit televisions and layered security measures to prevent access to sensitive data center areas. PCI DSS compliance requirement 9.1 mandates appropriate facility controls, which could be either or both of these measures.
It is interesting to note that PCI DSS is based on extensive layered logical and physical security measures and is very much within the ambit for compliance by data centers (including those providing managed services). With respect to protection of data during transmission, end-to-end encryption is not being implemented anywhere in India.
Disclaimer: Views expressed in this tip are the personal views of the authors and not that of the company.
About the authors: Gaurav Srivastava is an information security consultant and trainer with more than six years of infosec experience. He is currently working as a consultant (project manager) at SISA. He is a Payment Card Industry Qualified Security Assessor (PCI QSA), who has successfully conducted more than 60 assessments. Gaurav has provided noticeable consulting services on PCI compliance, ISO27001 and HIPAA for leading M-Commerce merchants, IT companies, banks and BPOs.
Nitin Bhatnagar works as the senior consultant/ global head business development and marketing - information security services with SISA Information Security Pvt. Ltd. He has more than four years of experience in information security domain. Nitin has been involved in several PCI-DSS, Code Review, OCTAVE Risk Assessment, Forensics, Intellectual Property Rights and Application Security related projects. He also has a master’s degree in information security from Indian Institute of Information Security –Allahabad.
(As told to Varun Haran)
This was first published in March 2011