Make Your PCI DSS Auditor Happy: Follow This PCI Audit Checklist [Infographic]

PCI audit checklist

How not to fail your next PCI DSS audit.

Check out the infographic here.

No matter the type of business, whether a retail or service provider environment, similar problems materialize before or during an audit that ultimately slow audit progress. Aside from being experts on PCI DSS requirements, onsite PCI DSS auditors are attuned to quickly see the security problems in an environment.

PCI DSS auditor pet peeves

PCI audit checklistThe job of a security auditor is to inspect and analyze what security methods, tools, and processes have already been implemented at a business. The key phrase being already implemented.

Your auditor can tell if security isn’t a top priority at your company. That being said, most environments need a little TLC, and that’s just fine. Auditors love to see when IT or compliance managers try their hardest to keep on top of vulnerabilities to ensure security at their organization. If they require a little help to get over the last few bumps to clear their PCI DSS audit, an auditor will gladly help.

Every auditor wants to step into their audit environment to eager and determined employees ready to help them out at every turn. Obviously, that doesn’t always happen. Unfortunately for auditors, most people view an audit as a necessary evil.

PCI DSS auditors aren’t mean or evil. They want you to succeed! It’s the people who simply don’t care about security, and purely view their audit as an inconvenience that make auditors cranky.

Follow for more data security articles

What every auditor wants

In an ideal world, auditors want the audit liaison or compliance officer to have:
  • An understanding of audit security jargon.
  • Transparent and eager attitudes to their questions and suggestions.
  • An already-made PCI audit checklist complete with questions to ask the auditor.
  • Last year’s ROC printed out for them.
  • Documentation on how the environment is coping with recent vulnerabilities.
  • Talked with key stakeholders to help them understand the organization’s risks.
  • Checked event logs regularly.
  • Documentation on how third party security risks are mitigated.
  • An understanding of PCI DSS 3.1.
  • An understanding of your PCI DSS scope.
Throughout the duration of the year, businesses grow, card data environments change, and PCI DSS requirements are amended.
Correct documentation and updated personnel help an auditor get up to speed on the environment as quickly as possible.
The quicker an auditor gets up to speed, the quicker you get through your audit.

Infographic: Avoid audit facepalms 

We asked 8 of our top auditors their words of advice for those looking to pass their PCI DSS audit with flying colors, and came up with this 8-phase PCI audit checklist.

‘How

Healthcare Reception Desks: Breeding Ground for HIPAA Compromise

healthcare reception

What can patients see on your reception desk?

Brand Barney, Security Analyst at SecurityMetrics
By: Brand Barney
Your reception desk might be one of the most vulnerable locations in your entire organization. Why? Every patient you treat walks up to the reception desk and discusses their visit with the receptionist for at least a minute or two. What do they see when their eyes wander around that reception desk? What do they hear? What can they grab? Take a photo of?

Check out this video for a 90-second summary of this reception desk HIPAA problem.

HIPAA violations on reception desks

healthcare receptionI’ve seen some pretty wild HIPAA violations from the viewpoint of both auditor and patient. The most common violations I see at reception desks are things like:

  • Seeing the receptionists’ open computer with the day’s schedule, complete with full patient names
  • Computer, EHR, and Wi-Fi passwords written on sticky notes, stuck to a computer monitor (in plain view to the public!)
  • Patient records on clipboards by the keyboard and easily viewable
  • Keys (probably to a back office) within arm’s reach
  • Bulletin boards with new patient names and notes about patients
  • Unopened charts which still identify name and address of patients
  • Patient messages for the doctor written on a pad of paper next to the phone on the reception desk, and in full view
  • Recently received faxes of health insurance data left in plain view on the desk
  • Recently printed scripts left sitting on the desk in plain view
  • Unshredded patient records thrown in a trashcan shared by receptionists and waiting room patients
  • Patient charts placed in clear door chart holders, clearly viewable to anyone walking by
Each situation I described above is either a HIPAA Privacy Rule or HIPAA Security Rule violation. All it takes is one patient or workforce member to report a single one of those violations and get you on the Office for Civil Rights’ (OCR) audit radar.

subscribe for more healthcare security articles

Even worse, what if someone with malicious intentions saw your Wi-Fi password so conveniently displayed on your desk, and decided to hack in and steal patient data? Do you have the technical measures in place to know if this has happened, or is happening?

Stopping reception desk HIPAA violations

Receptionists have tried to convince me that as long as the information is upside down to the patient, it’s not a HIPAA violation. That is false, and truthfully ridiculous. A quick picture of that upside down patient data can quickly be turned right side up, or even snatched right off the desk.
You can do a lot to mitigate the risk that your reception desk fosters, but the most important is employee training.
Receptionists, doctors, and nurses won’t leave patient information in plain view on reception desks if they have extensive training explaining why. I truly believe that healthcare professionals care about the data that they are working with, but I don’t think that they understand how they impact the security of that sensitive data.
Here are some more ideas that will help you keep your reception desk free and clear.
  • Stand where your customers check in, walk the path they walk, and see if you can see any sensitive information, in any form.
  • Stand at the reception desk and try to locate any administrative information that might assist a hacker to gain access to your system (like your EHR password)
  • If you ever write something on paper, immediately turn it over, or place it in a locked drawer
  • Pull out your phone, put in on the desk. What can you take photos of? I always recommend that you have a no phone policy at the front desk policy.
Many HIPAA impermissible disclosures are related to human error, and occur by accident. However, that also means most instances are avoidable. With the right procedures and training in place, you should be able to make sure your reception desk area is violation-free and HIPAA compliant.

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.

HIPAA Learning Center
SecurityMetrics Vulnerability Scanning FAQ

SecurityMetrics PCI Compliance

The most commonly asked customer questions about vulnerability scanning.

As you may expect, we get a lot of the same questions from customers about their vulnerability scanning. The following is a list of the most common questions we hear.
SecurityMetrics PCI Compliance

What are you scanning, and what are you scanning for?

We scan your external IP address or domain name. The scan identifies what ports are open and responding to public traffic. The scan then tests for weaknesses in your network.

How often will SecurityMetrics scan my network?

The scans run automatically every 90 days, or whenever a scan is manually initiated by you. Keep in mind, it’s a PCI DSS requirement that you run a new scan if your environment changes in any way.

SEE ALSO: 10 Qualities to Look For When Selecting an Approved Scanning Vendor

What should I do before running a vulnerability scan?

If you have an intrusion detection system or intrusion prevention system protecting your network, you may need to add our scanner's IP range to a white-list or exclusion-list for the scan to complete accurately.

What does the CVSS on my vulnerability scan test results mean?

The scores are pulled from an industry standard Common Vulnerability Scoring System (CVSS). As per PCI requirements a single score of 4 or greater results in a failed scan.

How long will it take for my vulnerability scan to complete?

There are many variables that determine how long a scan takes. Average scan completion time ranges between 3 and 4 hours. However, scans running for longer than 4 hours are not uncommon. If your scan has been running for more than 24 hours, please contact our Support Department at 801.705.5700 or support@securitymetrics.com.

How do I manually start my own vulnerability scan?

You can start a scan on any IP you have set up on your account. In the Scan Overview tab, look at the target you want to scan, and click the Scan Now button.

How/When can I put the "SecurityMetrics PCI DSS Validated" logo on my site?

Only customers who are enrolled in a PCI compliance service may put the SecurityMetrics PCI DSS Validated logo on their website. Instructions are provided inside passing test results of each vulnerability scan.

If you have any additional questions about vulnerability scanning that weren’t answered in this blog post, feel free to contact our 24/7 support team at: 801.705.5700 or support@securitymetrics.com  (UK: +44 33 0808 0832)

Follow SecurityMetrics' blog
Network Inventory, Configuration Management, and Security

What’s on your network? 

 Assistant Professor Cybersecurity Program Director
 By: Robert Jorgensen
In the last couple of years, security vulnerabilities have gone from obscure bulletins and esoteric CVE numbers to a marketer’s dream with catchy names, clever logos, and extensive news coverage.While this level of cybersecurity awareness promotes a more secure society, it is applying greater pressure than ever to IT managers and their teams.

Executives and management are suddenly aware of vulnerabilities blissfully ignored in the past. This awareness brings questions to IT staff, the most common being “Does this impact us?”

(SEE ALSO: LogjamShellshockGhost)

Unfortunately, this question is often met with silence, a Magic 8 Ball “ask again later” response, or a non-committal “I don’t know”. Those are answers no one wants to give when asked about a widely reported vulnerability.

Even worse, those are sometimes the answers to the question not asked enough:

“What is actually on our network, and how is it configured?”

Security Metrics subscribe

Network Inventory

Around the turn of the millennium, there was a widely reported story about a particular server at a university that lived a solitary life in a server closet walled in a number of years earlier. While nostalgic administrators often tout this tale as a fictitious example of how they built operating systems in the good old days, imagine that scenario now. You have a server on your network. You can see it. You can talk to it. You might even think you control it. But you have no idea where it is.

As a security professional, the wistful daydream of the system administrator quickly turns into something that keeps you awake at night.

Confidentiality, integrity, availability
Security professionals are tasked with three goals for information systems: confidentiality, integrity, and availability. Using the extreme example mentioned above, it is pretty easy to see how each of these is compromised.

If the physical location is unknown, there is no way to know if someone is tapping or viewing the data (confidentiality), modifying the data or the system directly (integrity), or if the server has reliable power, fire suppression, or theft prevention (availability).

Fortunately, most organizations do not run into an example this extreme. But many organizations struggle with maintaining an up-to-date list of software and hardware throughout the network, especially when it comes to systems that aren’t in production.

It’s not uncommon for organizations to have a pretty good idea of what’s in production for asset tracking and licensing reasons. Many IT departments track production configurations and follow a baseline as servers are deployed. In both cases, when development and test environments are involved, things often get a bit less clear. While certain development licenses and site licenses may reduce the need for granular license tracking and older depreciated hardware used in such environments may appear to reduce the need to track, there still should be concerns about the security of these systems.

While staging and QA servers often mirror the configuration of production devices, development and test servers often sport basic configurations. Default passwords and simplified configurations abound. Hardening is typically reserved for “real” environments.  Whatever the reason, these machines remain vulnerable. Naturally, no one expects them to be accessible to the outside world, but it happens.

Take the State of Utah Medicaid breach in 2012, for example.  More than 700,000 records were breached. The remediation went into the millions of dollars. What happened?

"The server was a test server and when it was put into production there was a misconfiguration. Processes were not followed and the password was very weak," Stephanie Weiss, spokesperson for DTS, told InformationWeek Healthcare.

Yikes!  If regular inventory scans of devices on the production network had been completed, someone could have noticed this machine and remediated the situation.

Configuration management

Network Inventory Organizations commonly monitor critical systems using a variety of software packages. Too often this falls into a pattern of, “Server X is critical for application Y, so we should monitor it” rather than, “We should monitor the network itself for new devices.” Most monitoring software has scan and discovery modes, but how often are they run? Likewise, software inventory and configuration management tools can pull or push information about installed software and configurations. How often does this happen?

So, what is actually on your network and how is it configured?

Having a complete and up-to-date inventory of the devices and software on your network makes answering this much easier. A master software list showing each software package and version installed on servers and workstations can be used to quickly identify potential problem areas. Being able to check configurations regularly will help identify problems sooner.

Some vulnerabilities make answering this question more complicated. For example, the Heartbleed vulnerability affected OpenSSL. None of your systems administrators might remember explicitly installing OpenSSL, but it is used by many software projects to provide TLS support for their applications. While having a complete list of software and versions at hand may not instantly identify all affected software, it will speed up the process as vendors and projects update their user base with new information.

Where to start?
The first step is finding out if your records match reality. Sure, that spreadsheet shows 15 machines on that subnet with 22 total IP addresses, but what is actually there? How many switch ports are active? How many virtual machines are being hosted on that blade server? Identifying everything may seem an overwhelming task at first, but it gets easier in subsequent iterations.

The same goes for installed software and configurations. Pull the information and check against your baseline. It’s amazing how far a little tweak here and there on a server can cause individual instances to diverge over time. Perhaps some debugging tools have been left there from a previous troubleshooting session. How about former system administrator Joe’s account? Was it disabled everywhere?

Once you have this information, it’s a good time to verify patch levels.

The 2015 Verizon Data Breach Incident Report found “99.9% of the exploited vulnerabilities had been compromised more than a year after the associated CVE was published.” Let that one sink in. Does your organization have a vulnerability that is a year or more old? It simply is not possible to know without up-to-date information. Just because something is stable doesn’t mean it is secure.

Security

Once you have established that your records reflect reality, it is time to monitor to ensure they are accurate. How often will depend on your organization’s overall security posture, but frequent and regularly scheduled updates will go a long way to ensure you have the best view of your systems.

A quick network scan a couple times a day will have little impact on performance, but may reveal the development workstation that just inadvertently bridged the production and test networks. More intensive tools should wait until off-peak hours.

When scheduled changes are made, check to see they reflect what was planned. Some things are overlooked and, occasionally, someone slips in an extra change during that maintenance window. As they say, trust but verify.

Finally, remember this is an iterative process subject to constant improvement. As the concept of network, system, and software inventory and configuration management moves from asset tracking and compliance to part of your operational security plan, things will become more efficient.
The confidence of having regular, updated information about your environment will change the entire tone of that inevitable “are we vulnerable” meeting.
Instead of delaying and waffling, you can look everyone in the eye and speak with authority. It may not be the answer they want to hear, but it is the correct answer and your organization can then move forward with remediation as necessary.

Robert Jorgensen is a cybersecurity professional and educator with over 20 years of experience in various technology roles. He holds multiple information security certifications, including CISSP, CISA, GCIA, GCIH, GPEN, and GXPN, as well as networking and systems certifications from Microsoft, Novell, and Cisco. A Utah native, Robert received his Master of Science in Information Systems from the University of Utah. Robert is on the faculty of Utah Valley University as as Assistant Professor and the Cybersecurity Program Director. He is currently building a cyber security academic program at UVU under a $3 million federal grant.

SecurityMetrics Data Security Learning Center

SecurityMetrics Support FAQ

The most commonly asked questions about our PCI compliance product.

As you may expect, we get a lot of the same questions from customers about their PCI DSS compliance product. We thought we’d post the most common as an easy go-to source for those with questions.
PCI DSS FAQ, SecurityMetrics PCI Compliance

Why am I receiving emails that say I'm not currently PCI compliant?

We send out reminder emails informing you of your non-compliant status. By logging into your SecurityMetrics account using your email and password, you'll have access to an intuitive web interface where you can review your requirements for PCI compliance. You can then complete the PCI DSS requirements that apply to you.

SEE ALSO: PCI DSS FAQ

My account screen says I'm PCI compliant, how do I notify my merchant processor of my compliant status?

If your merchant processor is partnered with us, they have immediate access to your PCI compliant status, and no action is required on your part. If not, we have reporting tools available to send your compliance status to an email address of your choice.

What if I want a certificate to show that I'm a PCI compliant merchant?

Once you're compliant, you can print a certificate of compliance by clicking on the Reports tab on the dashboard. Click on ‘show additional reports’ and then download your Merchant PCI Certificate.

To login to my account, it asks for my email address, what's my email address and how do I change it?

Your email is the email address used to create your account. If you would like to update your email address, please contact our Support Department at 801.705.5700.

I tried using the "Forgot Password" option, but I still can't login. How do I reset my password?

Contact our Support Department at 801.705.5700 for help with resetting your password.

When I login to my account it says I'm not PCI compliant, what should I do?

On the PCI dashboard you will find a To Do list of actions you must take to become PCI compliant. Click on any step to begin working towards a compliant status.

When I try to login, it just takes me right back to the login page, what should I do?

Clear your browser's cache and cookies. If that doesn't work, try logging into your account using another browser, such as Google Chrome or Mozilla Firefox.

Does the service SecurityMetrics provides cost anything?

All questions regarding charges or payments can be answered through our Compliance Department. Contact them by phone at 801.705.5665 or via email at compliance@securitymetrics.com.

SEE ALSO: 10 PCI DSS Myths

What does support cost?

SecurityMetrics provides 24x7 support for its customers by phone or email at no additional cost. Call the Support Department for assistance at any time at 801.705.5700 or email support@securitymetrics.

I have multiple methods of processing credit cards. Do I have to complete a separate Self-Assessment Questionnaire (SAQ) for each of them?

SecurityMetrics offers a combination SAQ for merchants with multiple processing methods. This will automatically be identified through your scoping process. If you have questions about what applies to your business, contact our Compliance Department at 801.705.5665 or compliance@securitymetrics.com.

I answered a lot of questions when I signed up for your services, but my account says I haven't completed the Self-Assessment Questionnaire. Why?

You may be thinking about the questions we ask determine your SAQ type, but those questions don’t necessarily complete the Self-Assessment Questionnaire.

The Self-Assessment Questionnaire mentions "Point of Sale Terminal/Software". What does this mean?

Point of Sale Terminal refers to a physical machine used to process credit cards. The make and model of your device can typically be found somewhere on the device itself. Point of Sale Software refers to a program on your computer used to process card transactions.

My Self-Assessment Questionnaire is failing. What should I do now?

To reach a passing SAQ, you must be in compliance with all the requirements. If there’s something you don’t understand or you are unable to mark ‘yes’ to, contact the Support Department by phone at 801.705.5700 or support@securitymetrics.com. To revisit the sections you put no to simply click on the section name.

Some of the questions on the Self-Assessment Questionnaire do not apply to me. What should I do?

If a standard isn't currently applicable, the PCI Council wants to make sure you understand it, and would meet that standard if it ever applies. If you agree you would meet the standard if it should apply to your business in the future, you should mark "yes".

My account says my Self-Assessment Questionnaire is "expiring soon" or "expired". What should I do?

Completing the PCI Self-Assessment Questionnaire is an annual requirement. Re-take the Self-Assessment Questionnaire until you pass.

If you have any additional questions about vulnerability scanning that weren’t answered in this blog post, feel free to contact our 24/7 support team at: 801.705.5700 or support@securitymetrics.com  (UK: +44 33 0808 0832)

Subscribe to more data security articles