Continuous compliance is not a plug-and-play solution. You can’t install it, set it to accept automatic upgrades and forget about it. Nor is it a one-size-fits-all standard that suits every enterprise’s needs. Nor can you download it in PDF format and conjure up a plan to deploy it. Continuous compliance isn’t a single product or guideline; it is a policy driven model that dovetails business processes, security policies, and technological solutions in such a way that compliance is enabled on an uninterrupted, ongoing basis.
Millions of words have been written about the best software to use, the correct policies to implement. Conferences are held, experts pontificate. Governments and industries pass regulations. Security solutions are amazingly effective at preventing attacks – even the dreaded zero-day flaws. We have the tools, the information and the impetus to lock down systems and data. What we don’t have are truly secure systems. Why? Because too often, through lack of education, resources or support, we allow our employees to become the weakest link in our defences.
Until businesses focus on creating a culture of security and employees understand exactly how and why to protect data, even the best-protected system will be vulnerable to attack. No matter how great your investment in security software, continuous compliance will not be possible. The bottom line is that we simply can’t rely on applications to do all the work for us. Smart policies, procedures and people are just as important as choosing the right security solution.
PCI DSS meets continuous compliance
PCI DSS (Payment Card Industry Data Security Standard) is of primary concern to any business that accepts credit or debit cards in payment for goods or services. It is a global standard that enhances the security of personal data collected from consumers. Apart from retailers’ implicit responsibility to protect consumer data, the fines for non-compliance are steep — in excess of euro 100,000 ( GB pound 67,000) per incident and the potential loss of the ability to accept payment cards.
While PCI DSS is truly a sensible approach to data security, it’s easy to feel overwhelmed by the work involved in implementing the requirements of the standard. Perhaps that’s why 40 percent of the online retailers surveyed for Cybersource’s 2007 UK online fraud report stated that they still have no plans in place to achieve PCI compliance and 36 percent have only recently begun to work on their compliance initiatives. A survey conducted last September by The Logic Group found that only three percent of respondents — which included a sampling of the largest high street retailers, financial services institutions and online businesses — were fully compliant.
One of the reasons for the slow uptake is that PCI DSS doesn’t always dovetail neatly with existing business procedures and infrastructure. Point of sale (POS) systems have limited technological safeguards, partly due to the need to have ready access to customer data for planning, promotional and customer service needs, and distributed systems harbouring legacy applications that were created by bolting disparate networks together. In many cases significant changes in practices and policies are required, in addition to technological solutions, to achieve full compliance with PCI DSS.
All that said, PCI DSS is not something you can afford to ignore. Implementing its guidelines will save retailers the cost and disruption of a hack attack on their network. All it takes is one successful attack to wipe out years of ‘savings’ on not implementing security. Additionally you can use PCI DSS as an opportunity to shape or refine your company’s security-based culture. The standard embodies best practice established over many years, so why not take advantage of that best practice? Yes, it is prescriptive, but this standard is a lot better than some that just mention the word ‘adequate’ which means whatever you want it to mean.
Creating a culture of security
When news broke in January about a network breach at U.S. retail giant TJX, the parent company of nearly 2,500 discount stores in North America and Britain, most security experts assumed the company simply, and rather stupidly, hadn’t encrypted stored data. Later reports indicated a far more complex situation. TJX’s recent regulatory filing indicates that the company had apparently lost control of the data flow across its disparate systems. This is a common problem with mid-sized and large retail networks that are built up over the years. The company began encrypting some data on some of its systems beginning in April of 2004, but wasn’t encrypting data as it moved from payment card systems across the network, which is where a malicious hacker or hackers apparently intercepted it.
TJX is probably not the only retailer whose network might seem safe but actually harbours gaping security holes. We don’t know what TJX has done in the way of creating a culture of security but we do know that true continuous compliance with PCI DSS requires much more than simply hardening the firewall on wireless POS systems and encrypting cardholder records in a database. It requires protecting consumer information during every stage of the payment process and creating – yes, you guessed it — a culture of security within the enterprise. Every employee – from the newest sales associate to the CEO – needs to understand the importance of cardholder data privacy and security.
Simply following the letter of the PCI DSS guidelines ensures that your organisation may technically be in compliance, but that’s not enough. Security measures that aren’t understood and fully embraced across the enterprise can, and will, be circumvented. As you plan and implement PCI DSS, don’t stint on ensuring that employees understand the importance of keeping customer data secure and protected and have the tools and training they need in order to secure that data.
The nuts and bolts of PCI DSS
The best way to begin creating a plan to comply with PCI DSS, or to evaluate your compliance progress, is to read the full PCI DSS standard (www.pcisecuritystandards.org) several times and develop a clear understanding of the purpose of each listed objective. This enables you to develop methods and processes that both meet the standard and suit the needs of your particular business.
The next step is to conduct a full audit of your systems and identify all the points and places where payment card data is processed, transmitted and stored. Use the PCI DSS Security Audit Procedures document to conduct this assessment.
Then develop, or review your data retention and disposal policy to determine whether it meets the PCI DSS standard. The less stored data that you have to protect, the easier compliance will be. PCI DSS calls for retaining only the minimum amount of information required for business, legal, and regulatory purposes. Purge systems as necessary and institute new processes. It’s less costly to eliminate data and implement change than it is to secure vast stores of data that you don’t need.
PCI DSS also requires the creation of a security policy, backed up by software enforcement and auditing, encryption of sensitive data, and well-defined access controls. To implement these standards properly in a way that fosters continuous compliance, you’ll need to institute ongoing training for employees. Ensure that all employees are trained in how to identify confidential information, the importance of protecting data and systems, how to choose and protect passwords, acceptable use of system resources, email, the company’s security policies and procedures, and how to spot phishing scams. New employees should be required to complete a security orientation before they are given access to the network and annual refresher classes for every employee need to be put in place. Employees can be alerted to new threats and issues by way of a monthly newsletter, RSS feed, or emails from IT.
Security policies should cover all of the issues above as well, and define in clear terms how to respond to requests for information. By making these issues a matter of policy, an employee can deny requests without feeling that they are either being unhelpful, or that they could get into trouble with senior management. Automated enforcement and monitoring of policies takes the onus off employees – they no longer need to make judgment calls, nor can they be pressured, bullied or coerced into responding to a social engineer’s attack.
Bear in mind that it is quite possible to develop policies that are so rigid that employees resent them and actively look for ways to thwart the policy. It’s best to develop policies in tandem with representatives from throughout the company. Each of your employees is a stakeholder in security and should feel as if he or she is a valued participant in protecting company data, not a mistrusted child who is being watched and controlled every moment of the day.
Your security policy should also detail how an employee should report incidents and requests for information that they feel are suspicious or just somehow not right- this information should be noted and tracked. If a company has been targeted by a social engineer, chances are he’ll attempt repeated attacks, so forewarned is forearmed. Never make an employee feel silly for reporting anything he or she finds suspicious. The easiest way to do this is often to set up an email address that employees can use to report potential problems such as securityreport@ourcompany.com.
When you thought you’d done….
Once you have your security policy plan in place, review the PCI DSS standard once again, and create a compliance road map.
– Document what you have done and/or are doing to meet each of the PCI DSS control objectives.
– Create an action list that details exactly what you need to do to achieve compliance.
– Plan also to have comprehensive, remote vulnerability scans conducted on a quarterly basis, with one annual scan performed by a PCI Security Standards Council-certified approved scanning vendor (ASV).
– Ensure you foster a culture of security continuously. Train employees in security and privacy procedures regularly, audit the system for compliance, and maintain documentation that shows how PCI DSS was implemented and is upheld throughout your organisation.
Above all, remember that PCI DSS is not an arcane set of rules established by some remote authority. It’s a set of widely agreed upon best practices that help enterprises secure their networks and protect their customers’ privacy. It’s good business to comply. And it is even better business to build a firm policy and education-based foundation that values security and enables continuous compliance with all data security regulations.