|
PCI Compliance: Avoid the Quick Fix 
Tax season was recently upon us, which meant that every organization in America was organizing its forms and preparing to file taxes by the April 15 deadline. As strong corporate citizens, nearly all of these companies has spent the last year maintaining updated records and ensuring they follow guidelines to make the process of tax filing as simple and easy as possible, lest they get audited. Unfortunately, most companies are not following this same proactive approach when it comes to the Cardholders Information Security Program (CISP) certification. Instead, these companies are taking a "hurry up and fix" approach to complying with the credit card guidelines. As a result they are risking customer data and steep fines, while also losing money with patch and fix solutions that do not always create a safer environment long term. June 2005 was the deadline for companies to first achieve certification with CISP. Visa and MasterCard established CISP to ensure that all retailers and processors of consumer credit card data were maintaining strict security and privacy standards. The Payment Card Industry (PCI) Data Security Standard requires merchants and service providers to undertake annual audits and quarterly scans of their networks. With the deadline for renewal quickly approaching, many companies are in a mad dash to audit and check their systems before submitting their report on compliance. CISP compliance is not a once a year activity In reality, it should not be a rush to the finish line every year; instead organizations should maintain compliance on an ongoing basis as part of an overall security framework. Visa and MasterCard do not want companies to be compliant only on a single day; with these regulations they are demanding continual compliance. Companies face steep fines and loss of certification if they are caught out of compliance - no matter what time of year. Worse, retailers can lose credibility and customers if a breach is exposed by a hacker or by the loss or misplacement of critical data. In the past year we have read reports of a number of card holder data breaches. Nearly all of the companies that were attacked had previously been confirmed compliant with the industry regulations. This is clear evidence that a quick-fix approach to achieving PCI compliance is not effective. Companies must stop viewing compliance as a once-a-year activity. Instead, these companies should use the quarterly assessments as an opportunity to regularly evaluate and update approaches to security threats and vulnerabilities. In a report titled, "Data Protection is Less Costly than Data Breaches," Gartner states that the cost of thorough audits and assessments is still significantly less expensive than the potential accrued costs of a data breach. By taking an on-going approach to vulnerability assessment and audits, PCI compliance becomes a side (albeit necessary) benefit of a safer and more secure information security program. What to look for when selecting your assessor No one goes to a doctor just to be diagnosed. Instead, people choose doctors based on their knowledge, expertise, experience and ability to fix health problems long term. Even more so, we choose doctors who can provide counsel and best practices to help prevent illness before it strikes. Those in charge of security and CISP certification should take the same approach to choosing a PCI on-site assessor or vulnerability assessor, rather than working with consultants who will just apply band-aids to their security illnesses. The majority of PCI approved auditors are financial and legal auditing companies, not technology consultants. However, a large percentage of the compliance requirements involve implementing and deploying technology-based security steps and solutions-most notably encryption. While these traditional firms do understand auditing, they do not understand technology. They can provide a list of issues and factors for non-compliance after evaluating a company's infrastructure. They cannot offer a solution, nor do they understand how to fix the problem. As auditors these organizations approach CISP certification with a bulleted list of requirements, noting 'yes' or 'no' as they run through the check list. At the mercy of these auditors, certification at many companies becomes a list of components instead of a part of an ongoing security program. With list in hand these companies then must deploy critical IT staff and dollars to find and implement solutions to non-compliance. A more effective approach to compliance is to work with certified auditors that also possess technology expertise and are capable of understanding compliance as part of an organization's larger security plan. Once these technology consultants identify areas of non-compliance they can assess the company's existing security infrastructure and make suggestions for compliance that may not require purchasing new solutions or changing company business processes. As an example we can examine a common situation retailers face regarding primary account numbers (PANs). It is discovered during the PCI assessment for a major retailer that PANs are stored in a SQL database that is not encrypted. When faced with this issue, many consultants, if they make a recommendation at all, will suggest the most obvious answer - go back to the developers and have them modify the application to bring it into compliance, taking time away from other business critical activities and raising development costs. However, a more efficient approach is to implement a database encryption solution that can encrypt the PAN column in the database, while leaving the other tables and columns untouched. This could be accomplished with little to no modification to the application itself. The database encryption product could also provide encryption key management services that meet the PCI encryption key management requirements. This is the type of solution that only a consultant with significant understanding of the security technology marketplace can suggest. Achieving PCI compliance does not mean customer data is secure Companies that are serious about data protection should not stop at the minimum level mandated by the PCI. While it's true that the CISP standards provide a base security level all companies should achieve, it is vital to perform weekly vulnerability scans to more proactively prevent attacks. In doing so, companies ensure data is protected and problems are discovered and fixed more rapidly. Certainly the costs for this approach are higher than the costs for a standard quarterly review, but what must be factored in is the much higher cost should a problem become public. If data is left unencrypted and consumer information is leaked, the resulting loss of customers, legal fines and fees and loss of public confidence is far steeper than the cost of regular vulnerability scans. Often times the fear of costly fines, sometimes at $500,000 per customer data breach, is steep enough to convince executives to allocate additional budget to cover more regular assessments.
|
