Cognizant 20-20 Insights
A Framework for PCI DSS 2.0 Compliance
Assessment and Remediation
By methodically identifying and remediating IT security gaps,
companies can quickly and cost-effectively comply with the Payment
Card Industry Data Security Standard.
Executive Summary
The Payment Card Industry Data Security Standard
(PCI DSS) 2.01 is an information security standard
for any company that handles cardholder infor-
mation for the major credit card providers. The
five global payment brands American Express,
Discover Financial Services, JCB International,
MasterCard Worldwide and Visa Inc. incorpo-
rate the PCI DSS 2.0 in each of their data security
compliance programs. As such, any company that
stores, processes or transmits cardholder data is
required to comply with these requirements. Each
merchant or payment card processor company is
required to submit an annual compliance report
to its merchant bank.
This white paper focuses on three key aspects of
PCI DSS 2.0 compliance. First, it provides a brief
background on PCI DSS 2.0 and our framework
for PCI DSS 2.0 assessment and remediation
services. Second, it discusses a set of issues seen
by companies seeking PCI DSS 2.0 compliance.
Third, it describes how we help address these PCI
DSS 2.0 compliance issues. This paper concludes
with a case study that shows how we applied
our framework in an engagement with a leading
North American retailer to quickly and cost-effec-
tively achieve PCI DSS 2.0 compliance.
cognizant 20-20 insights | february 2013
Our PCI Compliance Approach
PCI security for merchants and payment card
processors is the vital result of information
security best practices contained in the PCI
DSS. The standard includes 12 requirements for
any business that stores, processes or transmits
cardholder data. These requirements specify the
framework for a secure payments environment;
for the purposes of PCI compliance, their essence
is three steps: assess, remediate and report (see
Appendix).
Our approach to PCI compliance includes two
phases, the assessment phase and the remedia-
tion phase.2 Each phase can be executed inde-
pendently of the other and is then followed by
reporting.
Assessment Phase
In the assessment phase we typically work a 10-
to 12-week session, where the usual activities
include:
Data gathering (typically three weeks).
Current state assessment (typically two weeks).
Gap assessments (typically three weeks).
Future state roadmap (typically two weeks).
The duration of the assessment phase can differ
Assessment Phase Planning Inventory of tools and utilities identified.
Week Number 1 2 3 4 5 6 7 8 9 10 11
Current state policies.
Data Gathering 3
Gap assessment matrix of PCI controls.
Best practices followed (if applicable).
Weeks

Current State Assessment 2

Future state roadmap.

Weeks

Gap Assessment 3
Weeks

Roadmap to Future State 2

Weeks
Remediation Phase
During the remediation phase, our team evalu-
Figure 1 ates the effort based on the gaps and the
roadmap delivered during the assessment phase.
based on the size of the client infrastructure the Implementation duration depends on gaps found
number of devices in the cardholder data environ- during the assessment phase. Typical activities
ment. Figure 1 shows an example for constructing during this phase include:
an assessment-phase plan. Planning (typically, four to six weeks).
PCI DSS is based on technical and operational Designing (eight to 10 weeks).
requirements related to 12 different areas; data Building (12 to 15 weeks).
gathering is performed across six conceptual
areas, covering the following:
Verifying (14 to 16 weeks).
Deploying (varies).
Network infrastructure. Reassessing for report on compliance (ROC)
Encryption and data protection. (eight to 10 weeks).

Vulnerability management. The reassessment (which includes any final reme-

Access control. diation as needed) is conducted in conjunction
with a (QSA approved) third-party assessor to
Network monitoring. gain a report of compliance. Figure 2 illustrates a
Security policies management. remediation-phase plan.
Data gathered is then assessed for gaps across
During the planning phase, there are multiple
each of these six areas. The gaps in the current
workshops held with a core group of personnel
as is state are then categorized as high,
that will include both company resources as well
medium and low in each area relative to the goal
as our consultants.
of achieving PCI DSS 2.0 compliance. The final
deliverable includes a roadmap for remediating Overcoming Compliance Issues
the discovered gaps in order to achieve future
There are many PCI DSS 2.0 compliance hurdles
state PCI DSS 2.0 compliance for the cardholder
for companies that store, process and transmit
data environment. The deliverables at this phase
credit card information in their processing envi-
include, but are not limited to:
ronments. Among these, the most critical issues
Network inventory. faced include:
Software inventory. Incomplete awareness of the environment,
Current state network diagram of the and not understanding what is, and what is not,
cardholder data environment. part of the credit card data environment (i.e.,
the target environment for compliance).

Remediation Phase Planning

Week Number 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46

Plan 4-6 Weeks

Design 8-10 Weeks

Build 12-15 Weeks

Verify 14-16 Weeks

Deploy Varies

Reassess for ROC 10 Weeks

Figure 2

cognizant 20-20 insights 2

 Unavailability of skilled personnel required to
both understand and maintain the security of
the credit card data environment.
No experience executing activities required,
either in first time PCI DSS compliance or, once
PCI DSS compliant, in maintaining compliance
over the next cycle of compliance.
Lack of both awareness of industry best
practices and experience with relevant tools
available that fit the requirements for the
companys environment.
In our experience, we have found that companies
end up investing in the wrong tools and wrong
areas, and have no strategic direction when
architecting solutions, due to a lack of awareness
of the target environment or not having the
skilled personnel to make key strategic security
decisions. These shortcomings leave the target
environment vulnerable, which has a direct impact
on the business and the companys liabilities.
PCI DSS Compliance Services Benefits
We use a hybrid model of both offshore and
on-site consultants to deliver the best value for
the money spent on a PCI DSS 2.0 compliance
program. We deploy a pool of experienced
subject matter experts across various areas of
technology and business environments to ensure
program success.
To execute a PCI compliance program, we provide
tools that help all along its entire lifecycle, from
planning, to design and build, to testing and
through validation.
The key benefits of our PCI compliance framework
include:
The client gains awareness of its credit card
data environment, and can apply our recom-
mendations and best practices to achieve and
keep the environment secure and up-to-date.
Our structured, efficient and practical opera-
tional implementation of tools and inter-work-
ings can be applied across multi-organizational
design dimensions in ways that are scalable
and extensible.
Whether its a first-time implementation or
a project to maintain PCI compliance, the
process is painless, as a result of our precision
planning and program management expertise
throughout the engagement.
cognizant 20-20 insights
Implementation benefits result in best-in-class,
cost-effective and easy maintainability of PCI
DSS compliance.
On-the-job, environment-relevant training
enables organizations to best fit personnel to
function.
Our large pool of experienced consultants
across various industry verticals have experi-
ence utilizing technology to enable and protect
the clients business.
Program management capabilities for smoothly
managing complex compliance programs.
PCI DSS 2.0 Compliance Work in Action
We were recently engaged by a leading North
American retailer to help remediate its credit card
data environment. We delivered the following
services:
Program management for the PCI remediation
program.
Delivery of security tools from design and
install to operations.
Design and architectural expertise across the
clients infrastructure.
Remediation of all findings during the PCI
assessment for ROC activities.
The entire engagement was delivered in 11
months using a team of 21 professionals working
with the clients 75-plus resources and another 35
vendors. We implemented more than 25 tools and
services.
Several hurdles were overcome during the reme-
diation program. One key challenge was a late
scope change from PCI DSS 1.2 compliance to
PCI DSS 2.0 compliance. The program not only
addressed gaps implementing 290 PCI controls,
but also incorporated the scope change working
closely with the client. The program was delivered
on time, and with significant cost savings to the
client. Figure 3 (next page) shows the extent of
work accomplished.
Post-remediation, a QSA vendor assessed project
performance to create an ROC. Figure 4 (on page
5) illustrates a progress card created each week
in pursuit of ROC readiness.
Figure 5 (on page 5) shows how a tracker is used
to reveal readiness to attain an ROC.
3
PCI Remediation System, Device and Process Impacts
Program Accomplishments
Tools Programs
Number of Newly Number of Number of Phased Number of Newly Number of Number of
12 1 2 3 5 2
Implemented Modified Out Implemented Modified Phased Out
Processes
Number of Newly Number of Number of Phased Number of Project Number of N/A
Created Process 30 Modified Process 3 Out Process Flows 4 Management 8 Proj Templates 7
Flows Flows Processes Followed Created & Used
Systems
Number of Number of Number of Number of POS Number of Number
Applications 8 Servers Touched 40 Operating Systems 9 Devices Touched 1,071 Desktops 1,418 of Laptops 300
Touched & DBs Touched Touched Touched
Number of Client Number of Number of WCSs Number of Jump N/A N/A
Proprietary Systems 97 JBM Machines 850 Touched 1 Boxes Touched 4
PCI 1.2.1 & 2.0 Compliance

Touched Touched
Network Devices
Number of Routers Number of Number of Number of WLCs Number of Number
Touched SwitchesTouched Wireless Access Touched Firewalls of Content
1,039 3 89 2 6 2
Points Touched Touched Switches
Touched
Number of Modems Number of VPN Number of Devices N/A N/A N/A
Touched 1,200 Concentrators 2 - NTP Configuration 1,320
Touched
Policy, Procedures, Standards
Number of Policies Number of Number of Number of Number of Number of
Created 11 Policies Modified 2 Procedures 21 Procedures 0 Policies Phased 1 Standards 31
Created Modified out Created
Others
Number of Stores Number of Number of User Number of New Number of Number of
Touched Runbooks Created Accounts Cleaned Service Implemen- Service Imple- VA & PenTest
1,824 10 37,000 7 1 (149, 6)
tations mentations - Remediations
Modifications Performed
Number of Business Number of People Number of RFCs Number of Numberof Number
Justifications Docs taken Security Created Anti-Virus Upgrades Critical Security 300 of Stores -
3 885 282 1,718 1,110
Created Awareness Patches Applied devices Hardware
Training Encryption
Number of Stores Number of New Number of Vendor Number Scope Number Scope N/A
MPLS to Broadband 16 Vendor Contracts 1 Contracts 8 Reduction Work 7 Increase 4
Conversion Created Modified Streams Activities

Figure 3

Figure 6 (on page 6) highlights program tracking and global payment brands. Carrying out these
across the key conceptual areas within our three steps is an ongoing process for continuous
framework, covering each of the 12 requirements compliance with the PCI DSS requirements. These
defined by PCI DSS. steps also enable vigilant assurance of payment
card data safety.
The client was pleased with the results, noting
that the engagement used realistic and achievable PCI DSS 2.0 Requirements
timelines where milestones, deliverables and PCI DSS version 2.0 is the global data security
resources were continuously fine-tuned to keep standard that any business of any size must follow
key activities on track. In fact, the CIO later told to accept payment cards, and to store, process
us: We were on schedule and under budget by and/or transmit cardholder data. It presents
$500K. It was an amazing achievement for the common-sense steps that mirror best security
entire team. practices.

Appendix Step 1: Assess

PCI Background
Assess is to take an inventory of your IT
assets and business processes for payment
card processing and analyze them for vulner-
abilities that could expose cardholder data.
Remediate is the process of fixing those vul-
nerabilities. Report entails compiling records
required by PCI DSS to validate remediation and
submit compliance reports to the acquiring bank
3
The primary goal of assessment is to identify
all technology and process vulnerabilities
that pose risks to the security of cardholder
data that is transmitted, processed or stored.
Study the PCI DSS for detailed requirements. It
describes IT infrastructure and processes that
access the payment account infrastructure.
Determine how cardholder data flows from
beginning to end of the transaction process,

cognizant 20-20 insights 4

PCI Controls: Weekly Progress

300
InPlace
Assessments
250 247

Number of PCI Controls

N/A
229
In-progress 212
200 205
180
172
150 154
145
130
109 105
100 100
85
60 73 75 74
45 58 68 44 40
50 49 41 43 43 43
39 42 41 41
29 24
16 29 33 29 22 13
18 19 20 22 20 13
0 5 0
3/27 4/13 4/20 4/26 5/2 5/4 5/7 5/9 5/11 5/15 5/18 5/22

Figure 4

including PCs and laptops that access critical Self-assessment questionnaire (SAQ): The
systems and storage mechanisms for paper SAQ is a validation tool for merchants and
receipts, etc. Check the versions of personal service providers that are not required to do
identification number (PIN) entry terminals on-site assessments for PCI DSS compliance.
and software applications used for payment Four SAQs are specified for various situations.
card transactions and processing to ensure
they have passed PCI compliance validation.
Qualified assessors: The PCI Security
Standards Council (PCI SSC) provides programs
Note: Your liability for PCI compliance also for two kinds of independent experts to help
extends to third parties involved with your with your PCI assessment: Qualified Security
process flow; therefore, your organization Assessor (QSA) and Approved Scanning
must also confirm that partner processes are Vendor (ASV). QSAs have trained personnel
compliant. Comprehensive assessment is a and processes to assess and prove compliance
vital part of understanding what elements may with the PCI DSS. ASVs provide commercial
be vulnerable to security exploitations and software tools to perform vulnerability scans
where to direct remediation. for your systems. Visit https://www.pcise-
curitystandards.org/approved_companies_
providers/index.php for details and links to
qualified assessors.

Tracking PCI Readiness for ROC Status

Req12 (40) 40

Req11 (24) 2 22

Req10 (29) 1 28

Req9 (28) 28

Req8 (32) 10 22

Req7 (7) 7 N/A

Req6 (32) 32 In-place
In-progress
Req5 (6) 6
Not-started
Req4 (9) 6 3

Req3 (34) 23 11

Req2 (24) 1 23

Req1 (25) 25

Comp Control (4) 4

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Figure 5

cognizant 20-20 insights 5

Illustrative Workstream Tracking Across Six PCI DSS Conceptual Areas
11-Mar-11 PCI Remediation: Project Timeline Dashboard
2/29 3/11 Current Plan Variance Feb Mar Apr
90% 98% 100% -2%
% % % %
Project Name Start End Tasks Tasks Tasks Var Status 2/20 2/27 3/5 3/12 3/19 3/26 4/2 4/9 4/16 4/23
Scope Reductions Proj # Owner 78% 98% 100% -2%
Scope Reduction Activity A Joyce A J 6/1 10/3 100% 100% 100% - Completed
Scope Reduction Activity B Michael A 6/1 7/31 100% 100% 100% - Completed
Scope Reduction Activity C John G 1/9 3/17 100% 100% 100% - Completed
Scope Reduction Activity D John G 2/27 3/19 13% 99% 100% -1% In Progress

Network Infrastructure 1.1 99% 99% 100% -1%

Firewall Configuration / Routers 1.1.1 Anna P 9/6 3/15 96% 99% 100% -1% In Progress
Vendor Defaults 1.1.2 John G 7/13 11/15 - - - - Completed
System Configurations 1.1.3 John G 8/8 11/15 - - - - Completed
Password Encryption 1.1.4 Pam A 7/13 10/12 - - - - Completed
Encryption and Data Protection 1.2 94% 99% 100% -1%
Data Storage and Retention 1.2.1 John G / Anna P 10/19 4/6 92% 99% 100% -1% In Progress
Data Transmission 1.2.2 John G / Anna P 11/8 3/28 92% 99% 100% -1% In Progress
Encryption of Keys (PIN, PAN) 1.2.3 John G / Anna P 10/3 4/2 90% 99% 100% -1% In Progress
Data Protection 1.2.4 Pam A 8/19 3/28 98% 100% 100% - Completed
Vulnerability Management 1.3 95% 99% 100% -1%
Anti-virus 1.3.1 Pam A 7/18 4/3 95% 98% 100% -2% In Progress
Patch Management 1.3.2 Pam A 7/25 4/5 97% 99% 100% -1% In Progress
Vulnerability Management 1.3.3 Anna P 10/3 4/6 93% 99% 100% -1% In Progress
Software Life Cycle Management 1.3.4 Pam A 6/1 4/6 92% 99% 100% -1% In Progress
Web Application Firewalls 1.3.5 John G 9/19 2/3 99% 99% 100% -1% In Progress
Access Control 1.4 77% 99% 100% -1%
Access Control 1.4.1 Anna P 9/1 3/28 99% 99% 100% -1% In Progress
Two Factor Authentication 1.4.2 Anna P 9/28 3/31 71% 99% 100% -1% In Progress
RADIUS 1.4.3 Pam A 28/E920 3/31 71% 99% 100% -1% In Progress
Password Management 1.4.4 John G / Pam A 9/28 3/31 71% 75% 85% -10% In Progress
Facility Management 1.4.5 Peter K 9/28 3/31 71% 75% 85% -10% In Progress
Physical User Access 1.4.6 Peter K 9/28 3/31 71% 75% 90% -15% In Progress
Storage Media 1.4.7 Peter K 9/28 3/31 71% 75% 90% -15% In Progress
Network Monitoring 1.5 62% 87% 100% -13%
Audit Logging 1.5.1 Anna P 10/12 4/15 82% 94% 100% -6% In Progress
Time Synchronization (NTP) 1.5.2 Pam A 9/30 4/10 98% 99% 100% -1% In Progress
Wireless Access Monitoring 1.5.3 John G / Pam A 10/19 4/20 79% 90% 100% -10% In Progress
Internal / External Vulnerability Scanning 1.5.4 Peter K 12/15 4/10 75% 90% 100% -10% In Progress
Internal / External Penetration 1.5.5 Peter K 2/27 4/10 76% 83% 100% -17% In Progress
Intrusion Detection 1.5.6 Pam A 10/11 4/10 69% 99% 100% -1% In Progress
File Integrity Monitoring 1.5.7 John G 10/11 4/7 69% 99% 100% -1% In Progress
Securities Policies Management 1.6 62% 87% 100% -13%
Security Policy 1.6.1 Pam A 10/19 4/5 49% 100% 100% 0% Completed
Use Policy 1.6.2 Peter K 10/7 12/5 - - 100% Completed
Information Security Policy 1.6.3 Peter K 10/7 12/5 - - 100% Completed
Security Awareness 1.6.4 Peter K 10/7 12/5 - - 100% Completed
HR Policy 1.6.5 Peter K 10/7 12/5 - - 100% Completed
Vendor Policies 1.6.6 Mike A 10/7 12/5 - - 100% Completed
Incident Response Planning 1.6.7 Mike A 11/7 1/27 - - 100% Completed

In Progress (Variance <10%) In Progress

At Risk (Variance 10-19%) At Risk
Not Started Not Started
Late (Variance >19%) Late
Completed
On-hold

Figure 6

Step 2: Remediate Re-scanning to verify that remediation actually

Remediation is the process of fixing vulnerabili- occurred.
ties including technical flaws in software code or Step 3: Report
unsafe practices in how an organization processes Regular reports are required for PCI compliance;
or stores cardholder data. Steps include: these are submitted to the acquiring bank and
Scanning your network with software tools that global payment brands that you do business with.
analyze infrastructure and spot known vulner- The PCI SSC is not responsible for PCI compliance.
abilities. All merchants and processors must submit a
quarterly scan report, which must be completed
Reviewing and remediating vulnerabilities
by a PCI SSC-approved ASV. Businesses with large
found in on-site assessment (if applicable) or
through the self-assessment questionnaire flows must conduct an annual on-site assessment
process. completed by a PCI SSC-approved QSA and
submit the findings to each acquirer. Businesses
Classifying and ranking the vulnerabilities to
with small transaction flows may be required
help prioritize the order of remediation, from
to submit an annual attestation within the self-
most serious to least serious.
assessment questionnaire. For more details, talk
Applying patches, fixes, work-arounds and to your acquirer.
changes to unsafe processes and workflows.

cognizant 20-20 insights 6

Footnotes
1
PCI DSS is a standard developed by the PCI Security Standards Council, which is an open global forum;
to read related documents, see: https://www.pcisecuritystandards.org/security_standards/documents.
php?association=PCI-DSS.
2
The time for each of the phases varies, based on the clients infrastructure footprint and current state of
IT processes.
3
This material was extracted from the PCI Security Standards Council; for more information on the council,
visit its Web site: https://www.pcisecuritystandards.org/index.php.

About the Author

Vibha Tyagi is a Principal Consultant within Cognizants IT Infrastructure
Services Program Management Practice. She is responsible for executing
multimillion-dollar, large and complex infrastructure programs, and has
spent 19-plus years working with companies across the consumer goods,
retail, telecommunications, energy and financial services industries.
Vibha received a masters degree in electrical engineering and an M.B.A.
from the University of Chicagos Booth Graduate School of Business. She
can be reached at Vibha.Tyagi@cognizant.com | Twitter: @VibhaTyagi2 |
LinkedIn: http://www.linkedin.com/pub/vibha-tyagi/0/794/8b6.

About Cognizant
Cognizant (NASDAQ: CTSH) is a leading provider of information technology, consulting, and business process out-
sourcing services, dedicated to helping the worlds leading companies build stronger businesses. Headquartered in
Teaneck, New Jersey (U.S.), Cognizant combines a passion for client satisfaction, technology innovation, deep industry
and business process expertise, and a global, collaborative workforce that embodies the future of work. With over 50
delivery centers worldwide and approximately 156,700 employees as of December 31, 2012, Cognizant is a member of
the NASDAQ-100, the S&P 500, the Forbes Global 2000, and the Fortune 500 and is ranked among the top performing
and fastest growing companies in the world. Visit us online at www.cognizant.com or follow us on Twitter: Cognizant.

World Headquarters European Headquarters India Operations Headquarters

500 Frank W. Burr Blvd.
Teaneck, NJ 07666 USA
Phone: +1 201 801 0233
Fax: +1 201 801 0243
Toll Free: +1 888 937 3277
Email: inquiry@cognizant.com
1 Kingdom Street
Paddington Central
London W2 6BD
Phone: +44 (0) 20 7297 7600
Fax: +44 (0) 20 7121 0102
Email: infouk@cognizant.com
#5/535, Old Mahabalipuram Road
Okkiyam Pettai, Thoraipakkam
Chennai, 600 096 India
Phone: +91 (0) 44 4209 6000
Fax: +91 (0) 44 4209 6060
Email: inquiryindia@cognizant.com

Copyright 2013, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any
means, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is
subject to change without notice. All other trademarks mentioned herein are the property of their respective owners.