How does ITIL map into PCI DSS?
I have the fortunate task of managing the technical aspects of a large national retailers PCI DSS roadmap. I supposed I should make it clear very early on, that this posting in not directly about PCI and I will try to ensure that I keep my own personal views about the whole PCI debate out of this blog.
What I want to try an focus on is how a number of the ITIL process directly support either achieving PCI compliance or keeping your business in a compliant state. Once again its worth mentioning that Goitil does target SME's as the recipients of these blog articles and therefore, this would probably put them in level 4 and 3 categories but the principles outlined here would suit level 2 and 1 merchants.
Immediately, standard 1.1.1 (tested by verify their is a formal process for testing and approval of all network connections and changes to firewall and router configurations) shouts out "Change Management" whilst 1.1.2a (tested by verify that a current network diagram exists and that it documents connections to the card holder data) points immediately to "Service Asset and Configuration Management".
1.1.2b requires verification that the diagram is kept current (Change Management again) and 1.4a asks the QSA to verify that mobile and or employee owned computers with direct connectivity to the internet have personal firewall software installed and active. This starts to move towards Information Security Management.
Risk Management will be underpinning a number of issues highlighted as part of your PCI journey whilst the whole concept of Service Design and Service Transition will certainly reduce any rework or exposure to new PCI vulnerabilities if PCI is considered during the design and transition phases.
When I started thinking about this topic, my original view was to map the 174 standards to the ITIL processes! but having thumbed through the standards, do you know, its actually obvious where they fit!
Now I'm not saying I'm not going to do that, but that really is for another day. I think the closure for this article is to realize that PCI and ITIL do have a very close fit and dependent on where you are with your PCI road map you can either use ITIL to help you close the gap and achieve some of the standards in a more efficient way or if you are near enough there, ensure that your level of compliance is maintained by using ITIL as your management framework.
If you would like more assistance on using ITIL with your PCI compliance program or you are a SME who would like some support in this area, please do not hesitate to get in contact.
