Complying with PCI DSS is a necessary challenge to address security threats. To make your security organisation truly resilient, it is better to adopt a continuous risk-based approach than simply looking to tick the boxes, says Gerard Curtin, CEO of PixAlert.
Increasingly, organisations are so focused on achieving compliance that they often miss the bigger, more important picture of ensuring consistent corporate data security through effective risk management. Achieving reliable and continuous information security needs to be based on real risk management and not sporadic compliancy metrics.
The “tickbox mentality” of meeting regulatory PCI DSS compliance might be sufficient for passing audits, but does not address the real threats that are waiting to exploit card holder data vulnerabilities. Nor does it adequately secure customers’ highly personal and sensitive data that businesses have a responsibility to protect.
Continuous monitoring, vulnerability scanning, remediation and annual renewal of PCI DSS certifications need to be ongoing in order to meet and maintain this essential ecommerce standard. For merchants or service providers that process credit cards in order to sell goods and services on-line, achieving PCI DSS compliance can be a long, costly and difficult process. Yet it is imperative in order to protect credit card information from fraud and misuse.
This principle has recently been expressed by the Verizon 2011 Payment Card Industry Compliance Report which suggested that organisations often struggle to maintain continuous PCI DSS compliance, implying that the standard is a goal rather than an ongoing security initiative. For example, it found that only 21 per cent of organisations were fully compliant at the time of their Initial Report on Compliance, even though the majority had been compliant in a previous assessment. That means their security standard has actually eroded over the year.
The survey also found that organisations are not prioritising their compliance efforts based on PCI’s own suggested approach. Closer study of this issue showed that success in compliance is closely linked to the approach adopted. This was based on findings of more than 100 PCI DSS assessments which also examined how well organisations comply with the 12 specific PCI requirements as set out within the standard.
Organisations may appear to achieve compliance, but they fail to maintain a state of compliance through the next assessment period. This clearly suggests that it is purely a tickbox exercise, rather than a continuous process. That would seem to miss the point of the standard.
Verizon’s report also suggests that companies become overconfident once they achieve compliance in an earlier assessment and think that they can walk through it easily again, which is frequently not the case. A “good enough” approach to security has been proven to be insufficient and businesses are failing to take a risk-based approach to addressing security threats instead, applying security policies and technologies to address systems with the highest risk of being attacked.
CHD compliant, but not secure
Visa recently reported that most reported data breaches in 2010 came from systems that were outside of the audited payment network environment. These were typically card holder data (CHD) sets being held in temporary files on test systems or archive files that were Web accessible. (http://usa.visa.com/download/merchants/webinar-identifying-and-detecting...) This means that while the organisation was compliant, its data was not secure.
A second study recently undertaken by US data security vendor SecurityMetrics revealed over 378 million unencrypted cards on various-sized business and home networks, with the largest amount of payment cards discovered in a single network scan at over 96 million. The study concluded card discovery and deletion should not be one-time event and must be a part of regular and business operation to impact security.
A comprehensive audit of all network data stores and resources is required to ensure all CHD is systematically identified and protected. CHD discovery audits help provide a fully-automated mechanism to find where card holder data is stored on any part of the corporate network. The audit should extensively scan an entire network and comprehensively identify all CHD residing across all unstructured and semi-structured data stores.
Gaining visibility to understand risk
A critical key component to the PCI DSS path is to gain visibility over the extent of an organization’s CHD. CISOs, security staff and IT administrators need to be provided with this highly-relevant information in order to fully document where CHD is located and perform an updated risk assessment on a continuous basis.
Performing this on a regular basis validates the scope of compliance and ensures card holder data is not being inadvertently stored outside of the CHD environment. This process enables an organisation to understand the scope and scale of their CHD exposures while creating the necessary groundwork for successful certification.
Once CHD is identified and collected, organisations must be able to demonstrate to security auditors that appropriate security measures are in place to protect data throughout its lifecycle within the organization. The ability to be able to discover and map CHD throughout the network is of key benefit to this process. It allows businesses to gain total control of where CHD is being stored, transmitted or processed, enabling them to properly implement and manage the technical, procedural and skills transfer controls required by PCI DSS.
Risk-based approach to continuous security
Taking the right steps can help lead an organisation towards a state of continuous compliance. These include:
CHD Discovery Audit:
Realising long-term gains
In addition to achieving PCI certification quicker and more efficiently, long-term strategic benefits can also be realised:
PCI DSS compliance is an imperative standard in order to conduct online business transactions securely. By adapting a more proactive, preventative approach to maintaining CHD security through regular auditing, remediation and reporting, organisations will realise a more positive risk reduction outcome and not simply a one-off validation exercise.