Risk
11/19/2009
11:15 AM
Connect Directly
LinkedIn
Google+
Twitter
RSS
E-Mail
50%
50%

Lessons Learned From PCI Compliance

Assessors reveal mistakes companies make with data security standard.

3. Take Advantage Of Overlaps

Companies large enough to process millions of credit card transactions are likely to be subject to other regulations, such as Sarbanes-Oxley, or standards such as ISO and the SAS 70 security audit, as well as state laws that mandate the protection of consumer information. Many companies treat each requirement separately, so that every audit becomes a disruptive event, says the Neohapsis QSA. A more proactive approach is to dovetail as many requirements as possible so that audits are less of an issue.

For instance, regulation X might mandate seven-character passwords, while regulation Y says eight. "Set it to nine and satisfy all those controls," he says. "I haven't seen a lot of effort there. People wait for the auditor to come through and correct you instead of doing it as a unified effort."

4. Your Assessor Isn't The Enemy

It's hard for overworked and underfunded IT and security teams to watch some dude stroll in with a scorecard and tell them where they've failed--and then send a bill. A certain coolness, if not downright animosity, is to be expected.

But your company has an obligation to protect cardholder data, and the assessor can help achieve that goal. Companies should view assessors "not as opponents, but as partners in developing sound security programs," says Fabian J. Olivia, a QSA and global PCI competency leader at IBM.

Some IT teams realize that they can use the findings from an assessment to get funding they've been asking for to implement critical projects, says Branden Williams, a QSA and senior director of consulting at AT&T Consulting's PCI group. If you know a PCI assessment is coming, document areas where your controls are weak, outline a plan to address them, and get that information in front of management immediately. Once the assessment is over, you'll have third-party validation that the issues you've raised are important, and funding may come your way.

3 Typical
PCI Compliance Errors
> PCI requires companies to maintain a network diagram that shows how card data flows through IT systems, but assessors say companies often don't have one or it lacks critical details.
> According to PCI, companies must install critical security patches, but patches sometimes break systems, or one IT group requests a patch but another forgets to install it.
> Sometimes IT runs external scans but neglects to scan inside the firewall, which PCI requires. Organizations also must show that vulnerabilities have been remediated by running a scan after patches are deployed, but many skip this step.

5. This Is A Pass/Fail Test

Unlike many regulations that emphasize risk management, PCI is a prescriptive compliance standard. It requires specific controls and processes, and organiz- ations have to meet all the requirements, or they won't pass. "There is no partial compliance," says the Neohapsis QSA. "You either are, or you are not. It's not something the QSA can change for you."

PCI critics say the standard is complex and costly, and that compliant companies can still lose data. We agree. But despite its flaws, PCI is an opportunity for companies to get serious about their obligation to protect cardholder data and implement sensible controls. "PCI compliance should be a by-product of sound security practices and programs," says IBM's Olivia. We also agree.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6335
Published: 2014-08-26
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and ...

CVE-2014-0480
Published: 2014-08-26
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL ...

CVE-2014-0481
Published: 2014-08-26
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a d...

CVE-2014-0482
Published: 2014-08-26
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relate...

CVE-2014-0483
Published: 2014-08-26
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.