Monday 18 July 2011

The PCI DSS - Want Some More Advice?

Where to start with PCI Compliance? The PCI DSS is well thought out, utterly comprehensive but man - it's big!
The PCI DSS is also not at all easy to understand, and even less easy to apply to your personal situation. The headlines are as follows:
The PCI DSS is also not at

  • 12 Requirements
  • but 230 sub-requirements
  • and some estimates of 650 detail points

The PCI DSS in 2011 still remains an ongoing challenge for the overwhelming majority of PCI Merchants. The following is based on the feedback we have had from working with a number of casino resorts, theme parks, ferry services and call centers over the past few months and the statistics make interesting reading for any other PCI Merchant wanting advice about PCI compliance.

Typically, one in every two Tier 2 and Tier 3 Merchants admit they do not understand the requirements of the PCI DSS. If you are either still working on implementing compliance measures identified in pre-audit surveys, or are not compliant and doing nothing about it, or are leaving everything to the last minute, don't be too hard on yourself - nine out of ten Merchants are at the same stage.
In fact, it is fine to have a phased, prioritized approach and the PCI DSS Council fully recommend this strategy, mindful that Rome wasn't built in a day.

Prioritizing PCI Compliance Measures
With so much ground to cover, prioritizing measures is a must, and indeed the recently released 'Prioritized Approach for PCI DSS Version 2.0' from the PCI Security Standards council website is an essential document for anyone working out where to start.

Although the PCI DSS is sectioned loosely around twelve headline Requirements in terms of technologies (Firewalling, Anti-Virus, Logging and Audit Trails, File Integrity Monitoring, Device Hardening and Card Data Encryption) - and procedures and processes (physical security, education of staff, development and testing procedures, change management), you soon realize that there are threads that run horizontally through all requirements.

In this respect there is potentially a good argument for the creation of other versions of the PCI DSS oriented around procedural dimensions, such as password policies for all disciplines and devices, or change management for all disciplines and devices, and so on. Whilst the Prioritized Approach gives a good framework for planning and measuring progress, it is strongly advised that you also look up at every step and see which other requirements can be taken care of by the same measure being implemented.

For instance, file integrity monitoring is only specifically mentioned in Requirement 11.5, however, good FIM software solutions will underpin Requirement 1, requirement 2, and requirements 3, 4,5,6,7,8,10, and 12.
The general advice is that, even though it is very daunting, if you can get 'intimate' with the PCI DSS, both in spirit and in detail, then as with everything else in life, the better informed you are, the more in control you will be, and the less money and sweat will be wasted.

If you consider Requirement 1 of the PCI DSS, this is oriented around the need for a firewall and a fundamentally secure network design. However, you quickly end up with a secondary list of questions and queries. Do we need a diagramming tool? Do we need to automate the monitoring of firewall rule changes? (Incidentally, this is a task easily done using a good file integrity monitoring product) What is our Change Management Process? Is it documented?

Summary
The PCI DSS may well challenge your pre-conceptions about what an Information Security Policy comprises - but there is plenty of help to draw upon.
In summary

  • Use vendor offers - a free trial of event log server software will allow you to see first-hand how much notice you are likely to be dealing with in your estate and how straightforward or otherwise an implementation might be before you spend any money

  • Use the PCI Security Standards Council website - tools like the Prioritized Approach spreadsheet will help breakdown the full PCI DSS into a more manageable series of steps and priorities

  • Look for quick wins and the best 'bang for buck' measures - implementing File Integrity Monitoring software for PCI compliance can take a big bite of the overall requirements and may be one of the simpler and affordable steps you take

Friday 15 July 2011

The PCI DSS - Need A Little More Advice?

How much does PCI Compliance cost?
The first question that any organization will ask about PCI compliance is 'What does it cost?' (The second question typically being 'What happens if we don't get ourselves compliant?' but we can come back to this question later).

The issue of cost is a good question to ask up front but as you may have already discovered, one that is very difficult to get a straight (and reliable!) answer to.
In fact an article appeared recently in Secure Computing Magazine based on some research a vendor and an independent research organization had carried out. The premise of the article was that the 'average' cost of compliance was typically £4M more expensive than not being compliant, based on the average cost of achieving compliance being £2M, whilst the cost of non-compliance was £6M.

You could suggest that, for product vendors within the marketplace, this is great news and that most will have a vested interest in making things seem more complicated and consequently more expensive than they are. Then there is also the issue of the need to use a Qualified Security Assessor or QSA. A QSA is trained and accredited by the PCI Security Standards Council, so their knowledge is excellent but it comes at a price.

Conversely, there is plenty of free advice available from the PCI Security Standards Council website (and from vendors too), so you can get yourself educated and in control of your organizations PCI compliance program before engaging the services of a QSA.

What is the cost of non compliance with the PCI?
Of course, there is another dimension to the question 'How much does PCI Compliance cost?' You could instead ask 'What happens if we don't get PCI Compliant?'

One approach is to assess how much your brand and reputation is worth? If your business hits the headlines for the wrong reasons due to a breach - and it will be mainstream press now, not just the IT or Retail Industry Press - then customers will be thinking twice before they hand over payment card details to you.
Therefore it isn't just the fines, the cost and hassle of a forensic investigation of your security measures, or even the risk of increased transaction fees and more demanding audit pressure. There are now a growing number of US states bringing in legislation, such as in Nevada where the SB 227 Amendment specifically states a requirement to comply with the PCI-DSS. Similarly in the UK, the Information Commissioners Office will fine any organization that is found to be in breach of the UK Data Protection Act which compels organizations to protect customer personal information.

The bottom line is that if your organization loses customer personal information this is going to result in exactly the wrong kind of publicity. A customer can easily cancel a credit card and get a new number, but if you lose their address and date of birth this is impossible to reset, and they will not thank you for doing so!

What are the benefits of PCI compliance?
Where is the upside? In respect of a PCI Log Management solution, this will not only provide an advanced warning security system but one that can also alert you to impending hardware problem. How much is it worth to know in advance that you need to replace that till hard drive before it actually fails on the Saturday before Christmas!

The PCI DSS also provides a well-thought out and comprehensive off-the-shelf security policy, with a ready-made mature industry and knowledge base to draw upon that can double up to govern personal information too. Other industries are trying to adopt ISO27K but this simply doesn't have the pedigree or maturity of the PCI DSS.

Eduardo Perez is now Chairman of the PCI Security Council. Perez was featured in Secure Computing Magazine making it clear he wanted to dispel the 'wait and see' mindset of many merchants by saying that, despite what you will continue to read, there are simply no magic or even silver bullets for the PCI DSS. The message was clear - Forget about 'buying' an off-the-shelf solution to the PCI DSS.

Merchants are advised that they will need to work at achieving PCI Compliance and as much as you can automate some aspects and buy products for other requirements such as Event Log Management and File Integrity Monitoring, you will always be compelled to adopt all dimensions of best practice in security management. This means removing any complacency about being compliant or cutting corners - the PCI DSS should be a pervasive factor across all functions and departments of any organization using payment card holder data.

Expect tokenization and p2p encryption to be embraced by the PCI security council but don't expect any relaxing of other measures - they want more layers of protection, with more double-checks, safety nets and good old fashioned common sense. For instance, there will always be a need for file integrity monitoring software to ensure encryption applications have not been compromised, coupled with log management software to track any access or changes to systems.
Some advice from our customers, QSA colleagues and us

  • Don't let vendors and suppliers or even your QSA tell you what you should do and buy - get educated. There is lots of free advice around, not least from the PCI Security Council themselves.

  • don't assume you need to spend sacks of money on products and replacing everything you have - re-organize your network to reduce scope, recycle - use your older firewall to partition your network and reduce scope, use your existing processes and procedures but just formalize and document, and reduce your use of card data where possible, reduce those with access to data

  • Look for quick wins - contemporary log management and intelligent audit trail systems can be implemented quickly and even file integrity monitoring, always seen in the past as being expensive and complex are now affordable and automated

  • make your own decisions about the risks and potential for theft, then confirm with QSA - don't ask for guidance unless absolutely necessary

Wednesday 6 July 2011

The PCI DSS - Want Some Advice?

If you are a Payment Card Merchant looking for advice on getting PCI compliant then you are in good company. The following is based on information which a number of retailers and associated payment card service providers have been telling us over the past few months with respect to the PCI DSS.

Whilst we find there is strong understanding within Tier 1 merchants (6 million transactions per year), these organizations, in common with smaller merchants, are keen to hold off on major spending. Regarding the likely cost of any PCI DSS initiative this is covered in a subsequent article.

There is some good common sense in taking a 'wait and see' strategy. The future of the PCI DSS may well see some changes introduced, but this is actually not a good reason to delay implementation of a serious security strategy now. The big talking points of the moment include Tokenization and End to End Encryption (aka Point to Point Encryption) and both will have a role to play in the future, but right now there are plenty of good PCI DSS measures that should be implemented.

Furthermore, the entire premise of the PCI DSS is that a wide and diverse range of security measures are required, employing a combination of technological defenses and sound procedural practice.
For instance, Event Log management and File Integrity Monitoring are both essential requirements of the PCI DSS and can often be implemented quickly and for minimal expense while at the same time taking care of around 30% of PCI DSS requirements. You can calculate your own PCI compliance score by using the PCI Security Council's Prioritized Approach Tool spreadsheet, available to download free from the PCI Security Council website.

The PCI Security Standards Council website provides a wealth of information for understanding and navigating the PCI DSS. User forums such as the LinkedIn PCI DSS Compliance Specialist and vendor blogs and websites are also good sources of free information. Typical estimates suggest as many as 35% of retail, hospitality and entertainment organizations still do not understand compliance requirements.

However, understanding the way in which other organizations have dealt with the challenges you are facing is the best way to ensure you approach PCI Compliance with a clear vision of where you are likely to end up in terms of investment and procedural development. There are a number of cautionary tales in the marketplace to heed, such as a Tier 1 Retailer jumping in feet-first with a logging solution, only to find that they needed to employ a team of eight additional personnel to run and manage the system. This actually says more about the need to be careful about how you implement PCI Compliance measures and to go into it with your eyes open rather than the real demands of a good PCI event log management system, but it serves to illustrate how it is easy to get this wrong if you do not get good advice before you begin spending money.
Nearly all vendors will provide a free trial of any PCI compliance software solution and you would do well to make sure that where your PCI DSS program requires you to make investments and changes to in-house procedures, make sure you can see the big picture for day to day operation.

Implementation of a PCI log server needn't take very long and the overall process of implementing a syslog server trial will show you what you need to log and how much work will be needed.
For instance, Windows Servers will need some form of Windows syslog agent to be installed so that events can be forwarded from the Windows Server to the central PCI log server to be backed up centrally. However, you will also need to implement changes to either the Group Policy or Local Security Policy with respect to audit settings, and also review windows event log settings so that logons, privilege usage, policy changes, object access, creation and changes are all being audited and backed up in accordance with the PCI DSS.

You'll then need to implement logging for your Unix and Linux hosts, AS/400 and mainframe, together with configuring syslog logging for firewalls, switches and routers.

The whole process need not take more than a few hours but as well as showing you how much work is likely to be required to get your estate PCI compliant, you will begin to appreciate the PCI DSS philosophy in requiring not just access controls, preventing access to card holder data, but why active monitoring of changes is vital, coupled with a full, forensic-detail audit trail.

The PCI DSS is well thought out, utterly comprehensive but man - it’s big!

Where do you start with PCI Compliance?

It is a vast expanse of best practice security measures, not at all easy to understand, and even less easy to apply to your personal situation. The headlines are as follows

  • 12 Requirements
  • but 230 sub-requirements
  • and some estimates of 650 detail points

The PCI DSS in 2011 still remains an ongoing challenge for the overwhelming majority of PCI Merchants. Feedback we have had from working with a number of casino resorts, theme parks, ferry services and call centers over the past few months makes interesting reading for any other PCI Merchant wanting advice about PCI compliance.

Typically, one in every two Tier 2 and Tier 3 Merchants admit they do not understand the requirements of the PCI DSS. If you are either still working on implementing compliance measures identified in pre-audit surveys, or are not compliant and doing nothing about it, or are leaving everything to the last minute, don’t be too hard on yourself - nine out of ten Merchants are at the same stage.

In fact, it is fine to have a phased, prioritized approach and the PCI DSS Council fully recommend this strategy, mindful that Rome wasn’t built in a day.

Prioritizing PCI Compliance Measures

With so much ground to cover, prioritizing measures is a must, and indeed the recently released ‘Prioritized Approach for PCI DSS Version 2.0’ from the PCI Security Standards council website is an essential document for anyone working out where to start with assessing

Although the PCI DSS is sectioned loosely around twelve headline Requirements in terms of technologies (Firewalling, Anti-Virus, Logging and Audit Trails, File Integrity Monitoring, Device Hardening and Card Data Encryption) - and procedures and processes (physical security, education of staff, development and testing procedures, change management), you soon realize that there are threads that run horizontally through all requirements.

If you consider Requirement 1 of the PCI DSS, this is oriented around the need for a firewall and a fundamentally secure network design. However, you quickly end up with a secondary list of questions and queries. Do we need a diagramming tool? Do we need to automate the monitoring of firewall rule changes? (Incidentally, this is a task easily done using a good file integrity monitoring product) What is our Change Management Process? Is it documented

In this respect there is potentially a good argument for the creation of other versions of the PCI DSS oriented around procedural dimensions, such as password policies for all disciplines and devices, or change management for all disciplines and devices, and so on. Whilst the Prioritized Approach gives a good framework for planning and measuring progress, it is strongly advised that you also look up at every step and see which other requirements can be taken care of by the same measure being implemented. For example, file integrity monitoring is only specifically mentioned in Requirement 11.5, however, good FIM software solutions will underpin Requirement 1, requirement 2, and requirements 3, 4,5,6,7,8,10, and 12.

The general advice is that, even though it is very daunting, if you can get ‘intimate’ with the PCI DSS, both in spirit and in detail, then as with everything else in life, the better informed you are, the more in control you will be, and the less money and sweat will be wasted.

Summary

The PCI DSS may well challenge your pre-conceptions about what an Information Security Policy comprises - but there is plenty of help to draw upon.
In summary

  • Use vendor offers - a free trial of event log server software will allow you to see first-hand how much notice you are likely to be dealing with in your estate and how straightforward or otherwise an implementation might be before you spend any money
  • Use the PCI Security Standards Council website - tools like the Prioritized Approach spreadsheet will help breakdown the full PCI DSS into a more manageable series of steps and priorities
  • Look for quick wins and the best ‘bang for buck’ measures - implementing File Integrity Monitoring software for PCI compliance can take a big bite of the overall requirements and may be one of the simpler and affordable steps you take
What do you think? If you could give one piece of advice based on your own experience of PCI Compliance what would that be?