Welcome Guest. | Log In | Register | Membership Benefits

How Security Pros Can Leverage PCI Compliance Initiatives

By partnering with compliance team, security organizations can use PCI to improve enterprise security

Oct 22, 2011 | 03:30 AM | 

By Diana Kelley and Ed Moyle, Contributing Writers<
Dark Reading

[Excerpted from "Security Via PCI Compliance? Yes, If You Play Your Cards Right," a new report posted this week on Dark Reading's Compliance Tech Center.]

PCI tends to induce fear, frustration, or, at best, indifference among security practitioners. Because of the technical specificity of the controls the standard requires, it’s almost certain to involve (and distract) technical resources from all over IT. But because it focuses only on areas where credit card data is processed, it won’t necessarily directly improve the overall security of the environment.

This makes it tempting to view PCI compliance as an activity without direct benefit for the practitioner with a risk-based approach, but that doesn’t have to be the case. By partnering with peers on the compliance side, doing appropriate scoping and preparation, and paying attention to emerging standards, the security practitioner can leverage PCI compliance activities to gain benefits for the security posture of the company as a whole.

PCI’s value to the security practitioner comes about through enforcing a technical "minimum bar." The standard defines a set of controls that can be valuable in reducing risk, but difficult to justify -- and get funded -- under other circumstances.

For example, security practitioners know that file integrity monitoring has value from a security standpoint, but getting funding to purchase a tool to do it can be challenging. It’s "in the weeds" technically, and quantifying return on investment is difficult. However, PCI explicitly requires file integrity monitoring, so the discussion about whether to fund it is partially removed from the table -- at least for the cardholder data environment (CDE).

Implementing controls in one area (notably, the CDE) decreases barriers to deploying those same controls in other areas. Because you already own the tools, it reduces expense, and since you’ve deployed them in the past, it decreases planning and deployment overhead for subsequent efforts.

Since the requirements of the PCI standard are stringent, the level of protection prescribed isn’t appropriate in every context. Conversely, not every security control in use in the enterprise can pass muster in the CDE.

Consider, for example, a situation in which a manager at a retail location runs Skype on a system in the CDE. Since Skype can arguably be considered to support "remote access” (because it can support desktop sharing), an auditor might conclude that two-factor authentication is mandated per requirement 8.3 (not an uncommon conclusion in the audit community).

This breeds circumstances in which successfully passing an audit becomes difficult or even impossible. When this situation arises, the question shouldn’t be, "How do we make Skype compliant?" but, "How can we get Skype out of the CDE?"

Compliance and technical risk management don’t have to be at odds, but it’s important to realize that differing goals can create complications as you determine scope and prepare to proceed.

For example, consider the intersection of PCI and patching. Under earlier versions of the standard (prior to 2.0), requirement 6.1 was worded in such a way that it mandated a maximum of "one month" between patch issuance and application in the CDE.

Those familiar with production support will recognize the complication here: Is it always a positive risk trade-off to deploy every patch (or even just critical patches) in every circumstance according to a narrowly defined timeline? No, right? So a requirement like this creates an area of potential disconnect between security and compliance. A 30-day window, while high priority for the compliance side, creates complexity for the security and risk side because it can introduce availability issues.

It’s important for both the security and compliance side of the house to close gaps like this amicably. That takes planning, coordination, and communication.

To find out more about the process of combining PCI compliance and enterprise security efforts, as well as the potential pitfalls and benefits associated with the compliance effort, download the free report.

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.



Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dark Reading encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dark Reading moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Dark Reading further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
Subscribe to RSS



Compliance Reports

report How To Boost Security Via FFIEC Compliance
With just a smartphone, users can conduct nearly all their banking business at any time of the day or night. However, all this flexibility and convenience opens up new avenues for fraud and cybercrime. Guidelines laid out by the FFIEC several years ago predate many of the capabilities-and vulnerabilities-that are in place today. In this report, we examine the latest guidelines and provide advice on how you can extend the work done to comply with FFIEC guidelines to strengthen your organization's overall security posture and keep customers and their data safe.

report Keeping Compliance In Check
Configuration mistakes, access control gaffes, poor documentation--it doesn?t take much for a compliance audit to go all wrong. In this special retrospective of recent news coverage, Dark Reading takes a look at the costs, common missteps and best practices for compliance, as well as the day the Internet nearly went dark due to the threat of new regulations.

report FISMA Lifts All Compliance Boats
FISMA may not be on your radar now, but it likely will be at some point. Geared specifically toward the federal government and its affiliate agencies and third parties, FISMA is a very specific set of requirements aimed at establishing and maintaining at least a baseline level of computer and network security. FISMA requires unique categorization and classification of information assets, not to mention a boatload of documentation to prove compliance. But once your organization achieves FISMA compliance, it will likely be compliant with just about every security mandate out there.

Other reports from the Compliance Tech Center:

Related Content

Log Management in 2012 and Beyond
2012 brings interesting changes to the log management world. Now, more than ever, it is critical to understand the impact to your log infrastructure and the solutions that will better prepare you to manage your security posture.

SANS Log Management Survey Report
Organizations are increasingly dependent on log management to support core business functions, including cost management, service level and line-of-business application monitoring, as well as traditional IT- and security-focused activities.

Cut the Time and Effort of Troubleshooting and Reporting
Organizations generate millions of logs a day and struggle with centralized collection, storage and analysis of those logs. ArcSight Logger is a universal log management solution that unifies searching, reporting, alerting and analysis across any type of IT data. It consolidates silos of logs into a single indexed repository for fast detection and mitigation of operational issues.

Get Turnkey and Automated PCI Compliance
PCI compliance monitoring is seamless with the self-contained ArcSight PCI Logger solution for log collection, storage and analysis. No database administration expertise is required and a web-based interface simplifies deployment and ongoing management.

Swiss Bank Meets Compliance Requirements and Protects Customer Data
Due to long-term data retention requirements, Swiss bank EFG needed a cost-effective way to collect, secure and store audit-quality log data in an easily accessible log repository. ArcSight Logger helps EFG meet key requirements of Switzerland?s banking laws fast and cost-effectively.




Featured Webcasts
Featured Whitepapers
Featured Reports