The PCI DSS - Want Some Advice?

If you are a Payment Card Merchant looking for advice on getting PCI compliant then you are in good company. The following is based on information which a number of retailers and associated payment card service providers have been telling us over the past few months with respect to the PCI DSS.

Whilst we find there is strong understanding within Tier 1 merchants (6 million transactions per year), these organizations, in common with smaller merchants, are keen to hold off on major spending. Regarding the likely cost of any PCI DSS initiative this is covered in a subsequent article.

There is some good common sense in taking a 'wait and see' strategy. The future of the PCI DSS may well see some changes introduced, but this is actually not a good reason to delay implementation of a serious security strategy now. The big talking points of the moment include Tokenization and End to End Encryption (aka Point to Point Encryption) and both will have a role to play in the future, but right now there are plenty of good PCI DSS measures that should be implemented.

Furthermore, the entire premise of the PCI DSS is that a wide and diverse range of security measures are required, employing a combination of technological defenses and sound procedural practice.
For instance, Event Log management and File Integrity Monitoring are both essential requirements of the PCI DSS and can often be implemented quickly and for minimal expense while at the same time taking care of around 30% of PCI DSS requirements. You can calculate your own PCI compliance score by using the PCI Security Council's Prioritized Approach Tool spreadsheet, available to download free from the PCI Security Council website.

The PCI Security Standards Council website provides a wealth of information for understanding and navigating the PCI DSS. User forums such as the LinkedIn PCI DSS Compliance Specialist and vendor blogs and websites are also good sources of free information. Typical estimates suggest as many as 35% of retail, hospitality and entertainment organizations still do not understand compliance requirements.

However, understanding the way in which other organizations have dealt with the challenges you are facing is the best way to ensure you approach PCI Compliance with a clear vision of where you are likely to end up in terms of investment and procedural development. There are a number of cautionary tales in the marketplace to heed, such as a Tier 1 Retailer jumping in feet-first with a logging solution, only to find that they needed to employ a team of eight additional personnel to run and manage the system. This actually says more about the need to be careful about how you implement PCI Compliance measures and to go into it with your eyes open rather than the real demands of a good PCI event log management system, but it serves to illustrate how it is easy to get this wrong if you do not get good advice before you begin spending money.
Nearly all vendors will provide a free trial of any PCI compliance software solution and you would do well to make sure that where your PCI DSS program requires you to make investments and changes to in-house procedures, make sure you can see the big picture for day to day operation.

Implementation of a PCI log server needn't take very long and the overall process of implementing a syslog server trial will show you what you need to log and how much work will be needed.
For instance, Windows Servers will need some form of Windows syslog agent to be installed so that events can be forwarded from the Windows Server to the central PCI log server to be backed up centrally. However, you will also need to implement changes to either the Group Policy or Local Security Policy with respect to audit settings, and also review windows event log settings so that logons, privilege usage, policy changes, object access, creation and changes are all being audited and backed up in accordance with the PCI DSS.

You'll then need to implement logging for your Unix and Linux hosts, AS/400 and mainframe, together with configuring syslog logging for firewalls, switches and routers.

The whole process need not take more than a few hours but as well as showing you how much work is likely to be required to get your estate PCI compliant, you will begin to appreciate the PCI DSS philosophy in requiring not just access controls, preventing access to card holder data, but why active monitoring of changes is vital, coupled with a full, forensic-detail audit trail.