In-Depth
Seven Key Steps on the Road to PCI Compliance
Don’t overlook these seven steps you can take to complete your PCI compliance efforts.
By Jim Hickey
PCI compliance continues to be a hot topic in corporate executive suites. If your company handles credit card transactions, then compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) is much more than the latest buzz word or trend. You must deal with serious business issues, and protecting your company’s brand equity tops the list of concerns on the minds of senior corporate executives.
In corporate short-hand, no one wants their company to be the next TJX. In January 2007, the TJX Companies announced that a security breach in their businesses potentially affected more that 94 million credit- and debit-card holders. The fall-out was immediate:
- Fraud losses were estimated at between $80 million and $120 million
- Clean-up costs exceeded $17 million after the first three months alone
- The company faced criticism that it downplayed the seriousness of the situation
Whether TJX ever recovers the damages done to its brand is unclear. What is clear is that this issue resonates with decision-makers everywhere. In a recent Forrester Research report (The State of PCI Compliance), 49 percent of respondents cited damage to their company’s brand and reputation as the number one business driver that compelled them to act on PCI compliance.
Most of the immediate attention to the challenge of compliance with the PCI Data Security Standard has rightly been focused on protecting cardholder data itself. That’s absolutely the big-ticket item for IT teams, but the threats to your customers’ personal information extend well beyond the card data itself.
If you are still working to comply with the PCI requirements, we offer seven often-overlooked steps you can take as you complete your company’s road to PCI compliance.
1. Monitor system access. Make certain that you monitor system configurations to ensure that connections between publicly accessible servers and any system component storing cardholder data are restricted and that access is restricted to authorized users.
2. Monitor user environments. Monitor user account policies such as minimum password age, minimum password length, and password complexity to ensure that account related files and directories are restricted to authorized users.
3. Track and report software versions and patch levels for critical software components. Your company knows which versions and patch levels need to be installed. It will be important for you to build or buy tools that can report on which software versions and patches actually are installed on each instance on your environment. With this information, your team will know exactly which systems and software resources need to be updated before a breach occurs.
4. Monitor all file and directory permissions to ensure that only authorized personnel have access to critical resources and data. Hackers exploit small cracks in system environments to steal identity data. Your IT teams should be closely examining configuration and permission properties. As you do this, you will be able to find these security cracks—and you’ll be positioned to immediately repair them.
5. Follow a comprehensive change control process. Change is the number one source of instability in any IT environment. Change is also a source of vulnerability that often is exploited by identity thieves. Instituting a comprehensive change process over software assets is a critical step to closing the door on identity thieves. Insuring that all software assets can be tracked and monitored for changes will identify any changes that do not comply with your documented change process. Rogue changes should then be reversed immediately.
6. Promote an ability to reinstate secure configurations and permissions. You may want to consider taking “snapshots” of configuration and permission data and storing that in a repository -- similar to the methodology that developers use with source-code control systems. As rogue changes which threaten cardholder data are introduced into your systems and applications, your team can reinstate previous data that was known to be safe and secure.
7. Monitor file and directory permissions. Important security information is sent via logging channels. To prevent security breaches that could compromise cardholder data, you must monitor these permissions to detect intrusions.
Consider either building or buying tools to monitor operating system parameters related to access controls and a wide variety of permissions. Files and data to monitor include system logs, user authentication, login configuration, and system services. You will also want to target these tools toward key elements of application infrastructure such as application servers, Web servers, databases, and middleware, as well as any application; whether it is a third-party “packaged” application or a custom-built application.
Take these steps and you can bring your company closer to compliance with the PCI’s Data Security Standards. Having increased the protection of your customers’ data, you will also be protecting your company and its brand.
---
Jim Hickey is mValent's chief marketing officer. You can reach the author at jhickey@mvalent.com