Earlier this week, Echopass Corp. announced that it had become the first cloud-based contact center provider to achieve Payment Card Industry Data Security Standard (PCI DSS) Level 1 compliance. The PCI Level 1 certification came just a little more than six months after the PCI Security Standards Council released a supplement to its PCI DSS 2.0 guidelines aimed specifically at cloud service providers.
Echopass Chief Information Security Officer (CISO) Dennis Empey highlighted a number of catalysts behind the company's swift push for certification, with market competitiveness being chief among them. With Echopass having as recently as August released a new product package aimed exclusively at large enterprises, he noted that PCI compliance has become a requirement for cloud providers dealing with enterprises of any size. Every contract the company negotiates with a client now has PCI DSS as a checkbox at the minimum, though in some cases, enterprises require a much deeper review and potentially even proof of an audit.
There was a competitive element to the move to Level 1 compliance, Empey was quick to admit, calling it "a basic ticket to the game" and noting that if "you can't prove that you've satisfied that requirement, you're probably not going to make that cut."
As for the changes brought forth by the February supplement, Empey said that providers previously were able to go through a self-attestation process to satisfy the needs of clients, and though that process alluded to periodic testing, vulnerability scanning and the like, there were no third-party verification requirements. Now, Empey stressed, third-party validation is a must.
"It's really no longer sufficient to just deal with it from your self-attestation. You really need to go through an audit process; you need to have the policies, procedures, technology, the architectural approach; you really need to have all of that verified, audited, tested," he said.
As Echopass prepared to adjust its security stance to meet PCI's requirements, Empey said there were two approaches available to any cloud provider. The first was to start from scratch, build a completely secure platform and migrate users to that platform. Instead, Echopass chose to segregate its existing platform based on which areas touch PCI-related data, a process Empey said was not dissimilar to "changing the tires of a racecar while it's going around the track."
Though he considered the second approach slightly more difficult, Empey described the tiered architecture as a more effective deployment model that not only provides a secure environment, but also ensures that the PCI regulatory requirements were met. In terms of how data was segregated, Echopass followed the typical PCI data breakdown of tier 1 (data that is absolutely necessary to secure), tier 2 (data connected to areas that need to be secured) and tier 3 (data that doesn't connect to or touch PCI-related areas). Even with a tiered architecture, Empey stressed that organizations must still secure the edge of the platform.
Part of that tiering process is actually figuring out what data is PCI-compliant and where that data is stored, a task that Empey said is a struggle for a lot of organizations because they "don't know what they don't know." Returning to the heightened need for validation, he advised organizations to take the necessary time to analyze, from a technical and intellectual perspective, the data in their possession so they can verify that they "have that data and know what do with it and where it is."
It doesn’t count if it's not documented
Among the most challenging aspects of maintaining PCI DSS compliance for any organization is ensuring that a thorough, robust documentation process is in place. "I think the challenge a lot of companies have is that documentation is the last thing that they think about and is really, in a lot of companies' minds, something that can wait until next time," Empey said. "If that is the case, it's very, very difficult to catch up."
Over the last two-and-a-half years, Echopass spent many hours confirming that processes were captured and kept current. Of course, the company still had to document the changes it made in the push for Level 1 certification, but according to Empey, the documentation practices they already had in place resulted in an easier path. He advised organizations that fall under PCI guidelines to document every change that is made to security processes.
While PCI compliance is often thought of as the responsibility of an IT security team, Empey emphasized that any organization that places PCI as the sole responsibility of security will not succeed. Instead, an organization must make PCI a priority throughout every group because every employee will need to take time away from their day-to-day roles occasionally for PCI guidance, training, and policy awareness and processes. In particular, the executive team needs make the regulatory requirements a stated priority, as Echopass' 2013 PCI efforts were as early as mid-2012.
"It's not a destination; you don't look at a map and choose the destination as being PCI-compliant and say, 'Let's celebrate. Let's call it a day and move on to the next challenge,'" Empey commented. "You are making a permanent behavioral and process and maturity change to your organization, and you really have to commit to that."