Even if you don’t work in IT Security, it’s hard to be unaware of the increasing numbers of significant data breaches where hackers have stolen credit card information. We seem to read these headlines almost every other week, which leads us to highlight the vital points of failure you need to address immediately in this two-part series on PCI DSS compliance.
In the wake of some malicious attacks that have impacted millions of consumers the past few years—like Target, Home Depot, Wendy’s and Verizon’s widely-publicized incidents—customers’ concerns about the security of their credit card data are being taken seriously. Particularly by the Payment Card Industry (PCI) Security Standards Council.
Lack of education, awareness, and training around PCI data security, inadequate or incomplete implementation and maintenance of the PCI Data Security Standards (DSS), and changing requirements gave rise to many of the security breaches that are surfacing. In some instances, the initial breach occurred a couple of years in the past, and access to critical data has been ongoing. Violations of this nature are only beginning to surface now.
In April 2016, the PCI Security Standards Council issued a new set of standards (PCI DSS version 3.2) to try and close some of the gaps in compliance. However, many merchants and payment services providers still have not yet upgraded to the previous version (PCI DSS v. 3.1) which now expires on October 31, 2016.
While there are a lot of ‘how to’ guides out there, the PCI DSS continues to change rapidly to keep up with the changing security landscape. Issued last year, Version 3.1 initially gave businesses until June 30, 2016, to implement the new changes. At the end of 2015, the Council extended the deadline for full compliance to February of 2018, to give businesses the opportunity to implement the changes required by v3.1 and anticipated in v3.2.
PCI DSS v3.2 requires even more stringent and on-going efforts to remain in compliance. Recent studies show that as many as 1-in-5 merchants who think they are covered by the standards are out of compliance and would fail an audit. Failing an audit can have catastrophic consequences, especially if a breach is due to non-compliance. Fines, legal liability, and even the loss of the ability to accept credit cards are on the line—a likely death sentence for most businesses accepting credit cards and ATM/Debit cards. Even surviving a serious breach can have an enormous reputational impact for the company.
Key Factors to Surviving or Failing an Audit
A post by Intelligent Defense Software in 2014 showcased seven different points for PCI audit failure as outlined by industry experts. We’ll take a look at those and add three bonus areas to remedy in light of the newer versions of the standard. Once your business or your payment services provider has addressed these fundamental issues and cured them—you will be much further along the road to compliance.
- No Network Segmentation
Network segmentation is not officially a requirement for compliance, but it is one of the main reasons for audit failure. Hackers prefer systems without segmentation. If your network isn’t segmented, then gaining access to any part of it gives easier access to all of it.
Just like you would lock confidential data or valuables into a safe, segmentation separates PCI data from other customer data and vulnerable access points your business uses for other processes.
What to do: if you have the IT staff for it, network segmentation can be achieved through accurately configuring firewalls and routers. Otherwise, working with a PCI Compliant hosting company adds the advantage of having system engineers and admins who can take care of this for you and assist you with ensuring that access from your location is compliant as well.
- Inadequate Access Controls
PCI DSS explicitly states that anyone with access to your PCI data needs to have a unique user ID for tracking, and that you must restrict access on a need-to-know basis. Unfortunately, many businesses take the path of least resistance—either creating generic access IDs and passwords that multiple employees use or not creating different levels of access and control for various categories of employees or users. Additionally, when employees leave the organization, those user IDs and passwords often are not changed to prevent access by ex-employees.
What to do: This one is easy enough to address. Make sure every user has his/her own unique user ID and password. Where system passwords or access exist, like administrator or root access—an employee exit must trigger a process, which revokes his/her access and creates new passwords. Additionally, work with your IT administrator or your service provider to make sure that users only have access to the level of data they need.
- Sloppy Logging and Monitoring
PCI compliance requires businesses to monitor all user activity, create system logs daily, and store them for investigation and reporting of any suspicious activity. These system logs also help to backtrack point of access should a breach occur, which sounds a bit daunting unless you’re a Systems Administrator or Security Engineer. So many small to mid-sized businesses (SMBs) just ignore logging and monitoring and hope it isn’t an issue.
What to do: Fortunately, this isn’t a situation that necessarily requires an expensive, custom solution. Often, the tools are already available for your systems and just need to be configured and implemented. If you have your own network and an MS Windows server, it can be as easy as turning on and customizing Event Viewer. If you are using a PCI compliant hosting company, they already have the tracking and logging on their end for anything in their system. Whether it’s just your e-commerce applications or if you have a complete Cloud or managed hosting solution, they will already have skilled System Admins who monitor and configure logging.
- Inadequate Firewalls and Routers
The PCI DSS requires you have strong controls over your firewalls and routers and mandates precisely how you must configure them to ensure that traffic does and doesn’t flow through them or goes only one direction when entering and leaving the network.
Many SMBs don’t realize that the scope of the DSS covers applies “…to all system components included in or connected to the cardholder data environment. The cardholder data environment (CDE) is comprised of people, processes and technologies that store, process, or transmit cardholder data or sensitive authentication data.” So all systems, even things like Wi-Fi routers, VOIP and other non-obvious equipment and applications are included.
As a result, they think that their configuration and controls are sufficient when they are not and fail the audit.
What to do: This one doesn’t have any fast or easy solution. You absolutely have to review the requirements in the DSS and review your systems, firewall, routers, switches and everything inside the environment where this data is stored and make sure they are all configured correctly. However, if you do use a PCI compliant managed services provider, your provider may remove much of the burden. You still will want to ensure that anything on your end falls inside compliance unless you have completely outsourced this and never handle the payment or protected data, even through applications or remote access.
In Part Two of this series, we’ll look at the other five points including encryption, passwords, and documentation and a few more solutions that will get you closer to the finish line.
Additional Resources on This Topic: