PCI compliance: Don't become another headline

Nir Gertner,
CTO, Cyber-Ark

In response to the overwhelming occurrences of data theft, the Standard, developed by MasterCard and VISA and also being enforced by American Express, is designed to protect cardholder information and must be implemented by members, merchants and service providers. The PCI Data Security Standard is broken into six specific parts and its implementation implies the development and adoption of security policies, the use of various security technologies and products, as well as adaptation of existing systems to use these technologies. Today, all merchants using payment cards, including electronic commerce merchants, and service providers must comply with the PCI Data Security Standard or they will face fines of up to $500,000 per incident of non-compliance.

Affected parties are now left in a quandary: they must find products or technologies that can help them meet all six of the Standard’s requirements. This is made even more difficult by the fact that no product is PCI-compliant; compliance is met by members, merchants or service providers, not by products. Additionally, there is no single product, service or technology that can address all aspects of the standard, leaving the affected parties to search for a variety of tools to create a solution.

When evaluating solutions to comply with the Standard, organizations should consider two key criteria: First, whether the product can help achieve compliance with the standard and second, whether the product itself is secure and addresses various aspects of the PCI. Below is a detailed explanation of how to examine products and technologies that meet the requirements of each of the six sections of the PCI Data Security Standard:

1) Build and Maintain a Secure Network—In the first section of the Standard, it is required that all parties 1) Install and maintain a firewall configuration to protect data and 2) Do not use vendor-supplied defaults for system passwords and other security parameters. In order for firewalls to be effective, all communication from untrusted networks or hosts must be blocked, preventing external sources from interfacing with internal ones.

Far too often, administrators use the default passwords on systems as important as servers and network devices for ease of use or simply because they forgot to change them. A list of these default passwords can easily be found on the Internet and are often how hackers access the network. To best meet this requirement, it all starts with a formal password control program that expands upon best-practice policies with technologies that enable companies to have the accessibility and security needed for administrative passwords. This type of program marries policies with controls, changes and audits, to ensure best practices.

2) Protect Cardholder Data—The section that is paramount to the goal of the Standard requires that merchants and service providers 1) Protect stored data and 2) Encrypt transmission of cardholder data and sensitive information across public networks. The most fundamental concept of this section is the need for secure storage and session protection. An effective solution will provide a comprehensive environment to securely store sensitive data, featuring strong firewall, strong authentication, session encryption, storage encryption, extensive auditing, access control, dual control and other security measures to ensure the security and confidentiality of data.

Data at rest is frequently left sitting without any form of encryption attached to it. If an intruder is able to hack past the firewall or walk off with a server, there is no protection for the data inside if it lays unencrypted. It is essential that the solution selected to meet this requirement features built-in encryption and key management mechanisms that ensure data is always secure, while at rest and while being transmitted.

3) Maintain a Vulnerability Management Program—The section requires that compliers 1) Use and regularly update anti-virus software and 2) Develop and maintain secure systems and applications. All applications, as well as the network itself, should be protected by an anti-virus solution. Additionally, it is important to ensure the organization has patch management solutions for existing applications and develops best practices for home grown applications.

4) Implement Strong Access Control Measures—The fourth part of the Standard states that all affected parties must 1) Restrict access to data by business "need to know", 2) Assign a unique ID to each person with computer access and 3) Restrict physical access to cardholder data. Ensuring that users have access only to the level of data that they need is an important step in preventing data theft, particularly internal data theft. A good solution would store data in a highly departmentalized manner, allowing only authenticated users access to data based on their level of authorization. Every user should be assigned an individual account that easily allows them to access the data they need, while restricting them from accessing additional information, such as cardholder data.

5) Regularly Monitor and Test Networks—This section requires that companies 1) Track and monitor all access to network resources and cardholder data and 2) Regularly test security systems and processes. Creating an audit trail is one of the most effective tools to assess who had access to data if a security breach was to occur.

The optimum solution guarantees individual logging, while also recording every successful and unsuccessful event, such as login, data access and administrative activities. Additionally, these audit trails should also be stored in a safe manner and be encrypted and signed and unable to be altered manually. Another key feature to look for is the solution’s ability to maintain an audit trail for a predefined period of time, making it impossible to delete the log before the retention period expires.

To meet the second requirement of this section, a comapny must regularly test, check and re-check all of its security solutions to ensure that everything is working correctly all the time.

6) Maintain an Information Security Policy—The sixth section requires that merchants and service providers 1) Maintain a policy that addresses information security. The onus for this portion of the Standard falls squarely on the organization’s IT department and management team to create, define and enforce an information security policy throughout the organization. The policy should address all sections of the Standard and set rules and regulations for users, as well as penalties for non-compliance.

As a whole, the PCI Data Security Standard is a proactive and potentially effective way for the payment cards industry to try and stop the bleeding. If the Standard is efficiently enforced and compliers find the right mix of solutions to meet its requirements, consumers may be able to swipe their credit cards with a little more confidence and more peace of mind.

biography
Nir Gertner has more than a decade of experience in enterprise systems security. Currently the CTO of Cyber-Ark Software, Inc., Mr. Gertner also served as software and systems engineer for BMC Software Inc. and was the chief administrator of the Security and System Department of the Central Computing Center in the Israel Defense Forces.