Friday 6 May 2011

Retail Systems Forum Approaches - 'Complicated, Expensive and Time-Consuming – but the PCI DSS isn’t going away'

Just 2 weeks now until this year's Retail Systems Forum being held at Microsoft's UK HQ in Reading - see http://www.retailsystemsforum.co.uk/

NNT are presenting one of the sessions -'Complicated, Expensive and Time-Consuming – but the PCI DSS isn’t going away'

  • The PCI DSS in 2011 – Attitudes and Opinions from Multi Channel retailers in the UK
  • Strategies available – what is working and what are others getting away with?
  • Common Sense or Technology?
  • Are the goalposts moving (or going to move)?
I have only just finished the presentation for the deadline so at least it is topical and up to date!

I am talking about some of the feedback we have had from PCI DSS customers over the past few months, such as

- Duck it! “The future is too unclear to make any investment...”
- Paralysis! “We don’t want to make mistakes like xyz...”
- Ignore it! “We don’t need to bother – we’ve been OK so far and we view the risks as low...”
- Go Slow! “We have kept some updated procedural stuff back and if we drip-feed this to the Bank over the next two quarters then we are covered for the next few months...”

How much does it cost to procrastinate, delay and ignore the requirements of the PCI DSS? Wouldn't it be a better use of resources to embrace the PCI DSS, understand its intentions and methods, then apply these to your organization? You need a security policy, so why not take the 'off the shelf' option on offer in the knowledge that this is a well-thought out, widely implemented and tested standard that works?

In all the instances referenced above, we ended up delivering solutions to the various PCI DSS requirements

- File Integrity Monitoring (PCI Requirement 11.5) essentially, this requires the PCI Merchant to keep tabs on any changes made to the configuration of firewalls, switches and routers in the network, ensure that windows operating system files and program files on EPoS devices and servers don't change, and to track any access to Card Data files
- Device Hardening (PCI Requirements 2,6,8,10 and 11) a configuration and set-up process for all servers, EPoS devices, PCs and network devices, whereby the 'built-in' weaknesses and vulnerabilities present are removed or minimized.
- Centralized Event Log Management (PCI Requirement 10) gives both a pro-active security monitoring capability and a full, 'forensic' audit trail to use in the event of a breach
- Change Management (PCI Requirements 1,2,6,8,10 and 11) underpins all PCI DSS requirements, in as much as once your PCI Estate is secure, you need to ensure you keep it that way, so reducing changes and for those that are made, make sure they are planned, documented and approved. Change Tracker reconciles changes that are made with details of the intended change

The RSF format is to not get too technical nor be product-oriented, so the presentation will shy away from even this level of detail.

I hope the event can be recorded and published on www.nntws.com for anyone who can't make the event in person.