How are PCI DSS Requirements Tested? UCSF and Total Compliance Tracking (TCT)
This guide describes how Total Compliance Tracking (TCT) is used to manage PCI DSS testing and compliance tracking across all merchants at UCSF.
Key Concepts
Per international regulatory requirements, PCI DSS (Payment Card Industry Data Security Standards) must be tested regularly through a combination of assessments, audits, and validations to ensure that all organizations that handle payment card data are compliant with the security standards. These assessments can be conducted by the organization itself, internal audit teams, or external Qualified Security Assessors (QSAs).
UCSF has implemented the use of Total Compliance Tracking (TCT) as an online tool to allow merchants to complete SAQs as required, depending upon their method(s) of payment acceptance, including the attachment of any necessary support documentation in a method that allows for efficient compilation, retention, and reporting to the PCI Security Council as required.
Testing Roles and Responsibilities
SAQs are to be completed by Merchant managers or designated departmental staff within the tool on a periodic basis. Deadlines are listed within each SAQ and generally give a few weeks to complete rather than forcing the merchants to adhere to a tight interview schedule. Access to the tool is available by contacting [email protected]
Some segments and/or SAQs are completed by Merchants and include operational, procedural, policy, or training questions and explanations. Other SAQs will be answered by Network or Data Security staff regarding areas that they are responsible for securing. Each member of the wide payment security team will participate in the process and hold a key to the success of UCSF in recertification each testing season.
Testing Process
The testing process for all organizations that accept payment card data typically involves the following steps:
- Scope Definition: Determine the scope of the assessment, which includes identifying all systems, networks, and processes that are involved in cardholder data processing.
- Documentation Review: Review the organization's policies, procedures, and documentation related to PCI DSS compliance. This includes network diagrams, system configurations, and system and staff access control policies.
- Interviews: Conduct interviews with personnel who are responsible for cardholder data security to ensure they understand and are following PCI DSS requirements.
- Vulnerability Scanning: Use approved scanning vendors (ASVs) to conduct vulnerability scans of the network and systems in scope. This helps identify and address security weaknesses.
- Penetration Testing: Perform penetration tests to actively exploit vulnerabilities and determine if unauthorized access to cardholder data is possible.
- Review of Security Controls: Evaluate the organization's security controls, such as firewalls, intrusion detection and prevention systems, and access controls, to ensure they are properly configured and effective.
- Review of System Components: Assess individual system components and their compliance with PCI DSS requirements. This includes reviewing configurations, patch management, and other security measures.
- Logging and Monitoring Review: Examine the organization's logging and monitoring practices to ensure that they are collecting and retaining relevant security data.
- Cardholder Data Flow Analysis: Trace the flow of cardholder data through the organization's systems and processes to ensure it is adequately protected.
- Policy and Procedure Evaluation: Review the organization's policies and procedures to verify that they align with PCI DSS requirements and are being followed.
- Review of Physical Security: Inspect physical security measures, such as access controls and video surveillance, to protect cardholder data.
- Report Generation: After completing the assessments, a report is generated that details the findings, including areas of compliance and non-compliance.
- Remediation: The organization is expected to address any non-compliance issues and vulnerabilities identified during the assessment process.
- Validation: Depending on the organization's size and the volume of cardholder data they handle, they may undergo a PCI DSS compliance validation, which could be either a Self-Assessment Questionnaire (SAQ) or an on-site assessment by a QSA.
- Attestation of Compliance (AOC): The organization submits an Attestation of Compliance, which is a formal statement asserting their compliance with PCI DSS requirements specific to the scope of work they are engaged for with UCSF.
- Ongoing Monitoring: PCI DSS compliance is not a one-time effort; organizations must continuously monitor and maintain their compliance, undergo regular assessments, and adapt to changes in their cardholder data environment.
The exact testing procedures can vary and change depending on the specific PCI DSS requirements and the organization's size, transaction volume, and complexity. UCSF is currently a Level 3 rated organization, which requires a high level of scrutiny and reporting. As our organization continues to expand and diversify, our rating could change and testing requirements may intensify. Thorough and accurate testing and validation of our compliance with PCI DSS regulations is required regularly to retain good standing and avoid serious financial penalties, reputational risk, and/or loss of payment card acceptance privileges.