This past year American retailers have seen their fair share of data breaches. To name a few, Target®, Michaels®, Neiman Marcus®, Goodwill®, Home Depot®. The prominent fact is that there have been so many breaches in such a short period of time!
The impact of such incidents has not only been that they cause a serious dent in the company’s revenue, but also on the company’s reputation. It is obvious that there has been an increase in cybercriminal activity and that these lawbreakers are becoming more and more aggressive. So, with the holiday season underway, are you worried that more data breaches may occur and are companies prepared?
This blog will focus on Data breaches, PCI DSS, challenges retailers face with compliance, and finally some useful tips to achieve PCI compliance.
Data Breach – What possibly could have gone wrong?
Some vendors have flawed or outdated security systems which allow customer information to be stolen. Therefore, little attention is paid to ensure that all devices are updated and patched. Moreover, administrators have limited provision to monitor for suspicious behavior and fail to take the necessary steps to check for existing security holes by performing regular vulnerability scans. To top it off, there could be minimal to no documentation of network changes or simply poor communication between various IT departments.
To help companies who deal with financial information and to protect their customer data, the Payment Card Industry Data Security Standard (PCI DSS) defines a set of security controls to help companies process, store, or transmit credit card information in a secure environment. In order to help network administrators maintain such a network, PCI DSS ver3 broadly defines the following controls specifically for network routers and switches:
- Build and maintain a secure network and systems
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
Challenge with Compliance
PCI DSS defines security-specific objectives, but doesn’t lay down specific security controls or a method for these controls to be implemented. Simply using firewalls, intrusion detection, anti-virus, patch management, and related technologies may not be sufficient unless they are used with necessary operational controls specified by PCI DSS policies. Provided below are a few challenges administrators face when trying to implement and maintain compliance:
- Uncertainty about what’s on the network
- Insufficient mechanisms for vulnerability assessment and immediate remediation
- Absence of compliance reporting and continuous monitoring
- Not just implementing PCI DSS 3.0, but also continuously maintaining compliance
Best Practices to Achieve PCI Compliance
PCI DSS objectives are satisfied when firewalls, intrusion detection, anti-virus, and patch management are used together with the necessary operational controls. Here are a few best practices to achieve compliance while saving valuable time:
- Segment specific parts of your network to define controls and protection where sensitive data resides
- Ensure the use of right protocols and security best practices to plug possible network vulnerabilities
- Implement and follow supporting operational controls like device inventory management, configuration change approvals, regular backups, automation of tasks in addition to compliance with internal and external standards
These practices become more important in networks where there are hundreds of multi-vendor devices and device types operating over many locations. The overall time, effort, and costs involved in achieving compliance is very high. However, the cost of being non-compliant cannot be ignored. Stay tuned for my next post where I will provide a detailed list of tips to achieve PCI compliance while saving time and money.