|
 |
|
General Information
|
Add To My Personal Library |
August 24, 2007
• Vol.29 Issue 34
Page(s) 24 in print issue
|
PCI’s Impact On The SME
It’s A Bigger Thump Than You Think
|
Following years of spectacular thefts of credit card numbers, the credit card companies banded together to create a security standard for businesses that accept credit card payments. Known as the PCI DSS (Payment Card Industry Data Security Standard), its 12 security standards are required of every merchant that processes credit cards.
The PCI DSS, or PCI standard for short, dictates the adoption of specific security policies, increased supervision and documentation of critical tasks, secure programming, and the mandatory adoption of security technologies. These technologies include centralized logging and file integrity checking of all PCI resources. Web ecommerce application code must be coded using secure programming practices to avoid specified vulnerabilities.
The PCI standard represents the security best practices consensus of the major credit card companies that compose the PCI Security Standards Council. These security standards have developed over time from the individual credit card company security requirements. PCI DSS version 1.1, released in September 2006, is the council’s latest effort to better define how credit card data should be protected.
 The PCI Wake-Up Call
“PCI is making compliance much more real to the typical midsized business,” says Mike Rothman, president of Security Incite, a security research firm located in Atlanta, Ga.
Rothman notes, “Folks in healthcare and financial services have understood compliance for quite a while, but now pretty much any business that accepts credit cards needs to worry about PCI.”
“That’s a real change, though many companies continue to be blissfully unaware that they have to do anything,” Rothman says. “Although it’s not clear how deeply the credit card issuers will enforce PCI, the reality that compliance now applies to almost every business has tremendous impact.”
“If there was one key point that organizations need to keep in mind, it’s that, while PCI compliance is necessary, companies really must look beyond the PCI audit,” notes Dave Howell, senior manager of PCI solutions at RSA, the security division of EMC (www.emc.com). According to Howell, companies should also consider how their new security technology and policies can be used to protect other forms of sensitive information.
“PCI DSS is really a core set of best practices for protecting information, and if organizations are leveraging these best practices to protect credit card data, they should also consider how such protections can better secure their business--and enable business growth--more broadly,” Howell says.
Follow The Guidelines
According to Manju Mude, senior compliance analyst at RSA, if companies have evaluated their security policies against industry standards, such as ISO 27001:2005, they have a much greater chance to pass a PCI audit than those who have not followed security best practices.
“By following the guidelines set forth within standards like ISO 17799 and COBIT, companies can create control environments that address IT requirements that span multiple regulations,” notes Jane Goh, Check Point (www.checkpoint.com) product marketing manager. Goh explains, “By mapping specific regulatory requirements from SOX, HIPAA, or PCI back to larger information security categories, such as Malicious Code or User Management and other implementation guidelines stated in ISO 17799, companies can simplify compliance with multiple regulations.”
Take A Good Look Under PCI’s Hood
The PCI standards are divided in six groups of one to three primary requirements. Each requirement in turn is composed of subcategories of standards needed to meet the primary requirement. It’s when you examine the subcategories that the scope and complexity of the PCI standards become apparent.
For instance, the first group, Build And Maintain A Secure Network, governs how network devices, protocols, and servers should be documented, configured, and managed. Detailed documentation of firewall and router configurations with quarterly reviews of router and firewall rule sets are required.
Manju notes that the PCI Requirement 1 mandates updated network diagrams portraying all connections to cardholder data, including any wireless networks. In Requirement 2, each server must be configured according to recognized security baseline configurations by organizations such as SANS or the Center for Internet Security. Servers must have all unnecessary functionality, protocols, and services removed, and they can only have one primary function.
“The reason for this is to minimize risk and exposure,” says Mude. “If you house all your credit processing, Web services, accounting, and file storage on a single system, that system is extremely valuable to your business and would expose your customer information in a consolidated manner if it was ever compromised.”
Secure Coding Requirements
In another example of PCI standard’s scope and complexity, the next PCI requirement group, Protect Cardholder Data, details how to securely store and transmit cardholder data. Specific instructions regarding encryption methods and encryption key management are included with this group.
Contrary to some perceptions, database encryption solutions that are easy to deploy do exist, Howell says. “A key consideration is the technology’s ability to protect data in heterogeneous database environments--organizations often own more than a single database platform, so it’s important that the technology used to encrypt columns within the database is flexible,” Howell notes.
“It’s also important that the technology enforces proper separation of duties--i.e., separating the responsibility of security of your most sensitive information from your DBA’s [database administrator’s] responsibilities to manage user and application access,” Howell says.
As a final example of the PCI standard’s scope and complexity, the Maintain A Vulnerability Management Program group covers how systems are to be protected through antivirus and antispyware countermeasures, patching, vulnerability identification, and secure software development. Software development change control and prevention of common security program flaws is stressed.
Additional program protection by external code review or an application layer firewall is required to be in place by June 30, 2008.
“Organizations should start to prepare for this now by putting some basic application security processes in place,” states Jeff Williams, chairman of the Open Web Application Security Project Foundation (www .owasp.org). OWASP champions secure coding techniques and publishes a list of common Web programming security flaws.
“You don’t want to go into a code review without putting some work into addressing the OWASP Top 10 first,” Williams notes.
“Training developers is a great first step to get organizations moving towards a culture of secure software. Avoid generic courses and go for hands-on training that focuses on the language and platform you use,” Williams says.
The PCI standard can serve as a beneficial wake-up call for companies to leverage their existing security technologies. Using existing security standards such as ISO 17799, companies can frame the PCI standards into a comprehensive security strategy that can address multiple regulatory mandates. 
by Bill Hayes, CISSP
What’s In Your Auditor?
The PCI Security Standards Council annually certifies PCI auditors known as Qualified Security Assessors, or QSAs. A list of currently certified QSAs can be found on the Council’s Web site at www.pcisecuritystandards.org. Interestingly enough, this Web page contains the disclaimer, “. . . the PCI Security Standards Council does not endorse these security solution providers or their business processes or practices.”
There have been reports that some QSAs have acted more as not-so-subtle salespersons for a PCI security solution than as security auditors. Dave Howell, senior manager of PCI solutions at RSA, the security division of EMC (www.emc.com), suggests a strategy to discern when PCI auditors are more hype than help.
Howell says one of the most important things an SME must determine is whether a conflict of interest exists within a PCI QSA.
“If, for example, the same organization is conducting a pre-assessment, selling products for remediation, and then certifying the final audit, a conflict may well exist,” Howell notes.
“This is not always the case, though. Some organizations have clear separation of duties between auditing and sales functions,” Howell says. “But, it is something that an SMB--and any organization, for that matter--must be mindful of.” |
|
|
