Monday, 10 May 2010

Complicated, Expensive and Time-Consuming - But the PCI DSS Isn't Going Away

Around $12Billion is wasted on unused gym memberships each year, confirming that good intentions can get you as far as signing up, but not necessarily to work out. So every year around the world, good intentions to exercise more regularly and to get fit once and for all still remain unfulfilled.

And even in May 2011, 6 years after the PCI DSS was introduced, the number of PCI Merchants who are only partially compliant with the PCI DSS vastly outweighs the small numbers who are.
Reasons given by PCI DSS merchants for not progressing their PCI compliance program range from -

- Duck it! "The future is too unclear to make any investment..."
- Paralysis! "We don't want to make mistakes like xyz..."
- Ignore it! "We don't need to bother - we've been OK so far and we view the risks as low..."
- Go Slow! "We have kept some updated procedural stuff back and if we drip-feed this to the Bank over the next two quarters then we are covered for the next few months..."

Aside from the threat of fines for non-compliance and increased transaction fees, the biggest motivator for getting compliant is the knowledge that cybercrime is now considered worthy as mainstream headline news. Get breached, lose your customers' card data and/or personal information and you will be publicly named and shamed before the lawsuits start arriving. Talk to the guys at TJ Maxx or Sony's PlayStation Network and they will be able to tell you that dealing with the fallout from a breach is way more expensive, embarrassing and tough than any PCI DSS program could ever be.

How much does it cost to procrastinate, delay and ignore the requirements of the PCI DSS?
Wouldn't it be a better use of resources to embrace the PCI DSS, understand its intentions and methods, then apply these to your organization? You need a security policy, so why not take the 'off the shelf' option on offer in the knowledge that this is a well-thought out, widely implemented and tested standard that works?

But be careful who you ask for advice
There is always a steady stream of 'vendor-speak' advocating '3/4/5/6 Easy Steps to PCI Compliance' and right now the promise of Point to Point Encryption and Tokenization are the latest 'Silver Bullets' being hailed as the Merchant's saviour.
However, Eduardo Perez, the Chairman of the PCI Security Council, was quick to counter any assertions about Magic or Silver Bullets for the PCI DSS, saying that there simply is no such thing in an article published in Secure Computing Magazine in April 2011.
Until then there is no alternative but to roll up your sleeves and get on with implementing the measures necessary to get your organization secure.

A reminder of the headline technological security measures needed -
- Firewall and Intrusion Protection needed (PCI Requirement 1) both at the network perimeter and internally
- Change Management (PCI Requirements 1,2,6,8,10 and 11) underpins all PCIDSS requirements, in as much as once your PCI Estate is secure, you need to ensure you keep it that way, so reducing changes and for those that are made, make sure they are planned, documented and approved. Ideally use automated continuous configuration monitoring to reconcile changes that are made with details of the intended change. Changes to files, registry keys, installed software, user accounts, security policy and audit policy settings, services and service states all need to be monitored.
- Device Hardening (PCI Requirements 2,6,8,10 and 11) a configuration and set-up process for all servers, EPoS devices, PCs and network devices, whereby the 'built-in' weaknesses and vulnerabilities present are removed or minimized. Use an ASV vulnerability scan to identify the existence of vulnerabilities and once the server or EPoS device is hardened, use a continuous configuration assessment agent to validate that vulnerabilities are not re-introduced
- Anti-Virus with automatic updating (Requirement 5)
- Centralized Event Log Management (PCI Requirement 10) gives both a pro-active security monitoring capability and a full, 'forensic' audit trail to use in the event of a breach. Use a Windows Syslog agent to forward events from servers and tills to the central server, and use the native syslog capabilities of firewalls, routers and switches to audit logon and log off activity. Event logging for the PCI DSS is best implemented using an automated log parsing system that can intelligently identify true security incidents
- File Integrity Monitoring (PCI Requirement 11.5) essentially, this requires the PCI Merchant to keep tabs on any changes made to the configuration of firewalls, switches and routers in the network, and use the file integrity monitor to ensure that windows operating system files and program files on EPoS devices and servers don't change. FIM for the PCI DSS is also used to track any access to Card Data files.

No comments:

Post a Comment