Vertical Markets

PCI DSS approach

by msecadm4921

Continuous monitoring, vulnerability scanning, remediation and annual renewal of PCI DSS (Payment Card Industry Data Security Standard) certifications need to be ongoing, to meet and maintain this essential ecommerce standard, writes Gerard Curtin, CEO of PixAlert.  For merchants or service providers that process credit cards in order to sell goods and services on-line, achieving PCI DSS compliance can be a long, costly and difficult process but imperative, to protect credit card information from fraud and misuse.

Increasingly, organisations are so focused on achieving compliancy, that they often miss the bigger, more important picture of ensuring consistent corporate data security through effective risk management. Achieving reliable and continuous information security needs to adapt to a risk based approach and should not be determined by annual compliancy metrics.  

The ‘checkbox mentality’ of meeting regulatory PCI compliance may help pass audit requirements, but does not address the real threats which are waiting to exploit CHD card holder data vulnerabilities. Nor does it adequately protect customer’s highly personal and sensitive data that businesses have a responsibility to safeguard continuously throughout its lifecycle.

This principle has recently been expressed by Verizon Business (2011 Payment Card Industry Compliance  Report) who suggest that organisations often struggle to maintain continuous PCI DSS compliance implying that the standard is a goal rather than an ongoing security initiative. This was based on findings of more than 100 PCI DSS assessments which also examined how well organisations comply with the 12 specific PCI requirements as set out within the standard.
Organisations appear to achieve compliance, but fail to maintain a state of compliance through the next assessment period which would suggest that it is purely a ‘checklist’ exercise rather than a continuous process which seems to miss the point of the standard. Verizon’s report also suggests that companies become overconfident once they achieve compliance in an earlier assessment and think that they can walk through it easily again, which now appears not to be the case.

A compliance is ‘good enough’ approach has been proven to be insufficient and businesses are failing to take a risk-based approach to addressing security threats instead of applying security policies and technologies to address systems with the highest risk of being attacked.

CHD Compliant But Not Secure
Also compounding the ‘checklist’ approach to compliancy, a recent webinar titled Identifying and Detecting Security Breaches; Visa reported that most reported data breaches came from systems that were outside of the audited payment network environment.  This means that while the organisation was compliant, its data was not secure.  

A second study recently undertaken by a US data security vendor*, revealed over 370 million unencrypted cards on various-sized business and home networks, with the largest amount of payment cards discovered in a single network scan at over 96 million. The study concluded card discovery and deletion should not be one-time event and must be a part of regular and business operation to impact security.

A comprehensive audit of all network data stores and resources is required to ensure all CHD is systematically identified and protected.   CHD discovery audits help provide a fully automated mechanism to find where card holder data is stored on any part of the corporate network.  The audit should extensively scan an entire network and comprehensively identify all CHD residing across all unstructured and semi-structured data stores

Gaining visibility to understand risk  

A critical key component to the PCI DSS path is to gain visibility over the extent of an organisation’s CHD.  CSO’s, Security Staff and IT administrators need to be provided with this highly relevant information in order to fully document where CHD is located and perform an updated risk assessment on a continuous basis.   Performing this on a regular basis validates the scope of compliance and ensures cardholder is not being inadvertently stored outside of the CHD environment. This process enables an organisation to understand the scope and scale of their CHD exposures while creating the necessary groundwork for successful certification.  

Once CHD is identified and collected, organisations must be able to demonstrate to security auditors that appropriate security measures are in place to protect data throughout its lifecycle within the organization.  The ability to be able to discover and map CHD throughout the network is of key benefit to this process.   It allows businesses gain total control of where CHD is being stored, transmitted or processed enabling them to properly implement and manage the technical, procedural and skills transfer controls required by PCI DSS.

CHD Discovery Audit

?    Comprehensive scanning of all network wide resources help an organisation discover and identify where CHD components (both structured and semi-structured card details) are stored on their network.  
 
?    Intelligent and actionable reporting will provide users with visibility and control over the extent of their CHD components (both in and out of the scope environment). In identifying vulnerabilities, it will enable an organization to take proactive, corrective action through analysis and remediation enabling the implementation of proper controls and updated risk assessments.

Re-Audit

?     Regular audits will help to demonstrate that PCI DSS is being continuously monitored and maintained through automated scans and reporting structures which ensure that consistent security measures and compliancy standards are being upheld constantly.

Long term gains

In addition to achieving PCI certification quicker and more efficiently, long-term strategic benefits can also be realised:  

?    Reduce & Manage Risk  
Manage risk through continuous PCI capability assessment – reduce CHD loss/leakage incident rates
?    Maintain and ensure PCI DSS re-certification
?    Reduce Cost and Increase Efficiencies
    Through an automated and integrated process, realise a greater ROI through improve resource efficiencies
?    Improve Customer Security
    Reduce reputational exposure and the financial consequences associated with compromised customer security
?    Improve Business Effectiveness
Strong security infrastructure enables faster and easier access to corporate data

Summary

PCI DSS compliance is an imperative standard in order to conduct online business transactions securely. By adapting a more proactive, preventative approach to maintaining CHD security through regular auditing, remediation and reporting, organisations will realise a more positive risk reduction outcome and not simply a one-off validation exercise.   

PixAlert is exhibiting at stand A75 Infosecurity Europe 2012,  from April 24 to 26, 2012 at Earl’s Court, London. The event provides a free education programme, and exhibitors showcasing new and emerging technologies . For information – visit www.infosec.co.uk.

Related News

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing