PCI Change Management: Emails Enough?

TL;DR

No, simple emails aren’t enough for PCI compliance change management. While they can support the process, you need a documented system with approvals, testing, and audit trails. This guide explains what you need to do.

1. Why Emails Aren’t Enough

PCI DSS (Payment Card Industry Data Security Standard) requires you to control changes to your systems. Emails lack the necessary controls for several reasons:

• Lack of Audit Trail: It’s hard to prove what was approved, when, and by whom with just emails.
• No Formal Testing Record: Emails don’t show that changes were tested before going live.
• Insufficient Documentation: Details about the change itself (what was changed, why, how) are often missing or scattered across email threads.
• Accountability Issues: It’s difficult to assign clear responsibility for a change and its impact.

2. What PCI DSS Requires

PCI DSS requirement 6.3 specifically addresses change management:

• Documented Change Control Process: You need a written procedure outlining how changes are requested, approved, tested, and implemented.
• Risk Assessment: Changes should be assessed for potential impact on the security of cardholder data.
• Testing: All changes must be thoroughly tested before being deployed to production.
• Approval: Changes need approval from authorized personnel.
• Audit Trail: You must keep records of all change control activities, including requests, approvals, testing results, and implementation details.

3. Building a Compliant Change Management Process

Here’s how to create a process that meets PCI DSS requirements:

1. Create a Change Request Form: This form should capture essential information about the proposed change, including:
   • Change Title
   • Description of the Change
   • Reason for the Change
   • Impact Assessment (potential risks to cardholder data)
   • Testing Plan
   • Rollback Plan (what to do if the change fails)
   • Affected Systems
   • Requestor Information
2. Establish an Approval Workflow: Define who needs to approve changes based on their risk level. This might involve:
   • System Owner
   • Security Team
   • Change Advisory Board (CAB) – for significant changes
3. Implement a Testing Process: Before deploying any change to production, it must be tested in a non-production environment. Document the testing results.
   • Create test cases that cover all aspects of the change.
   • Record the results of each test case (pass/fail).
   • Obtain sign-off from testers confirming successful completion.
4. Maintain an Audit Trail: Keep a record of every step in the change management process, including:
   • Change Request Form
   • Approval Records (dates, names)
   • Testing Results
   • Implementation Details (date, time, who implemented it)

4. Tools to Help

You don’t need expensive software, but tools can help streamline the process:

• Spreadsheets: A simple spreadsheet can be used for basic change request tracking and approval (though it’s harder to audit).
• Ticketing Systems: Tools like Jira, ServiceNow, or Zendesk can manage change requests as tickets.
• Dedicated Change Management Software: More sophisticated tools offer features like risk assessment, automated workflows, and reporting.

5. How Emails Can Fit In

Emails can be used for:

• Notifications: To alert stakeholders when a change request is submitted or approved.
• Reminders: To remind testers to perform tests.
• Communication: For quick updates on the status of changes.

But always link back to the official change record (form, ticket) for complete information.

6. Example Workflow Snippet

This is a simplified example using a ticketing system:

# Assuming a Jira workflow
1. User submits Change Request via Jira.
2. Jira automatically assigns the ticket to System Owner for approval.
3. System Owner approves/rejects (with comments).
4. If approved, ticket is assigned to Testing Team.
5. Testing Team performs tests and updates ticket with results.
6. Once testing passes, ticket is assigned to Implementation Team.
7. Implementation Team deploys change and marks the ticket as 'Closed'.

7. Key Takeaway

Relying solely on emails for PCI DSS compliant change management is a significant risk. Implement a documented process with approvals, testing, and audit trails to protect cardholder data and avoid potential fines.