With the release of PCI DSS version 3.0 and more recently 3.1, many Higher Education Institutions have found it hard to know which SAQ’s they should be filling out since there are now nine options. Higher Education Institutions have very complex merchant card environments and with the new requirements it is even harder to recognize what’s in scope. Tyler Baker interviews Dirk Anderson, the Vice President of Enterprise Risk & Compliance Platform at Coalfire, to get a deeper understanding of PCI Scope Assessment.
Tyler: Dirk, with the 3.1 release into effect, many Higher Education Institutions are having trouble figuring out what’s in scope and not in scope for PCI. Higher Education Institutions are complex because they have so many different departments and groups on campus accepting credit cards. Most require multiple SAQ's and there are now 9 varieties! Many have come to Coalfire asking to help them define their Cardholder Data Environment (CDE) and make recommendations based on what we find. Do we have a process for this?
Dirk: Tyler, you are correct, Higher Education Institutions are some of the most complex environments Coalfire works with. They accept cards in many different ways and may have different payment systems for each department. This makes it difficult for the College or University to track down exactly what SAQ they should be filling out and whether they need ASV scans and/or a penetration test. Here at Coalfire, we do have a process called a PCI Scope Assessment that helps Higher Education Institutions map out their CDE. Based off that we can provide recommendations on filling out SAQ’s and consolidating MID’s.
Tyler: That sounds like a very detailed and complicated process. What would Coalfire need to do first to really get a grasp on what the Institution’s CDE is?
Dirk: The first step in this process would be asset identification, which is a multi-step process to gather information about the PCI environment. During this stage of the PCI Scope Assessment we review payment processes, map out payment channels, and perform a general PCI risk assessment. Included in these processes is a review of the compliance status of the hardware and software vendors in use.
Tyler: This first step collects a lot information and general knowledge about the Institution’s CDE. What does the second step consist of? Will we be leveraging anything from the first step?
Dirk: Yes, the first step is really a way for us to dig in deep and paint as accurate of a picture as we can of the CDE. We will use the information that we gathered from the asset identification in the first step and use it for next step, which is the compliance requirements analysis. In this analysis we will look at a few things such as whether we can combine payment channels, and if there is a way to roll up anySAQs. This will help identify which SAQs Institutions should be filling out and if the institution will need scans or penetration testing of certain environments. Also, as a part of this process we will be looking to see if there are any interdependencies in the environment with vendors.
Tyler: Dirk, this all sounds fantastic. Between the first two-steps of this process there seems to be a lot of information gathered. Is there a formal report we give to the client that summarizes our findings?
Dirk: Yes, after these first two steps we create something called a PCI Reporting Plan. After collecting and analyzing all data, we recommend which SAQ’s an institution should be filling out, as well as, which IP’s need to be scanned and penetration tested. We will also make recommendations on consolidating vendors and whether a P2PE program could be put in place to reduce risk. All of this will be put into a detailed formal report for the Institution to use.
Tyler: This sounds very helpful to Higher Education institutions who do not know how best to file their SAQs. Is this something they would do every year?
Dirk: We recommend that Institutions perform this assessment every few years, it is not something that needs to be done every year unless there is a significant change in the way the Institution is collecting credit cards. A lot of the time we use the PCI Scope Assessment as a way to kick of a relationship with an institution to help them become compliant. Once we have an accurate view of the PCI environment, we then help them document their compliance status. We do this by, leveraging our Navis tool to help them scan and fill out SAQs.
Tyler: Thank you Dirk, this has been a very informative interview. Is there anything else that you would like to add?
Dirk: The PCI Scope Assessment is a great first step to becoming compliant for PCI and for years beyond, particularly for diverse environments like colleges and universities. Here at Coalfire, it’s our goal to help an institution any way we can in becoming compliant.