The PCI Data Security Standard has become one of the thornier compliance challenges for enterprises and small businesses alike in the last couple of years, and as the standard continues to change, it's likely to get no easier anytime soon. A small cottage industry of assessors, software suppliers and consultants has sprung up to help businesses comply with the requirements, but much of the nuts and bolts is still left to the security and compliance staffs.
To help ease some of this pressure, Solidcore Systems Inc. on is introducing two new offerings designed to help businesses comply with two of the more difficult sections of the standard. Solidcore S3 Control PCI Pro Edition is meant for large enterprises and service providers, those companies with the most complex and involved PCI compliance efforts. The new application is specifically targeted at helping these companies comply with categories 10 and 11 of the PCI standard, which cover the need for software to monitor file integrity and changes. The second offering, aimed at small and medium businesses, is S3 Control Starter Edition.
Solidcore, of Cupertino, Calif., designed the applications as stripped-down versions of the company's flagship S3 Control product with the intent of giving customers just the features they need to comply with PCI DSS and leaving out the extraneous elements.
"They're much easier to install and configure than the enterprise product. You get a single installer and it works with the default settings," said Rishi Bhargava, director of product management at Solidcore. "Right now there is no cost-effective solution for the midmarket if people just want to meet the standard and not bother with all of the other functionality. How can somebody get off the ground right away with less cost and effort?"
Both editions of the software record all of the changes to protected files. It also enables administrators to see which users made changes to files and at what time the changes were made. This capability goes beyond what even the PCI standard dictates, Bhargava said. "All it says right now is that when a critical file changes, you should have an audit trail of that change," he said. "It stops there. That's because that's what the state of the art was when it was written. That will change over time."
Bhargava added that one of the reasons that an estimated 30% of Level 1 enterprises are still non-compliant with PCI DSS is the constantly changing interpretations of the various sections of the standard.
A lot of customers are in pain because of the changing interpretations and how [qualified security assessors] want to report compliance or non-compliance," he said. "PCI DSS hasn't changed. The interpretation has changed. That will be true for the next couple of years. When they write the standard, they can't write the exact interpretation because they don't know what innovations will happen on the product side to meet it."