 |
|
|
|
|
A deeper dive into the PCI requirements and how they may help justify your security expenditures in the coming quarters and years is something that all security practices should engage in.
Spyro Malaspinas
|
|
|
|
|
|
|
|
|
|
PCI can offer a means to an end for those budgets which are consistently denied for secure email solutions, firewalls to protect your infrastructure, and training for security personnel. Embrace these controls for training and new technology that can be leveraged for other infrastructure, best practices and regulatory controls.
Firewalls: Requirements 1.1.3, 1.3.4, 1.3.9, 6.6
Essential to any feasible defense against widespread malware attacks and malicious internal and external connections, is segmentation at the network layer by way of a stateful firewall. Several PCI requirements mandate the use of firewalls at all Internet connections, between the DMZ and internal networks, and in front of all databases that store cardholder data. Leverage these requirements for your capital request of a firewall that will allow for multiple physical or virtual interfaces; these will allow for segmentation and inspection of all traffic, above and beyond packets destined for the cardholder environment.
Remember that application firewall you always wanted? PCI has armed any financial organization subject to PCI with a hammer in requirement 6.6. As of June 30, 2008 all Web facing applications must be protected from known attacks by means of an exhaustive code review or an application-layer firewall. Annual code reviews can be a great deal more expensive than the purchase of an application-layer firewall. Like network-based firewalls, application-layer firewalls can be used to protect other applications on the DMZ. It should be noted that several of the more progressive security vendors today offer the ability to filter at the application and network layer.
Lastly, personal firewalls are required for any system that connects remotely to your cardholder environment. This can be used as justification to procure and secure all laptops.
Wireless access points: Requirements 2.1.1, 4.1.1, 11.1
The TJX breach revealed an estimated 45 million compromised credit card numbers. The breach was linked back to the use of WEP, a dated and obsolete wireless encryption protocol. WEPs replacement, WPA/WPA2, though not required by PCI DSS yet, will likely be the baseline standard in the next PCI DSS standard 1.2, which is expected in September, 2008. Irrelevant of its requirement, TJX is the motivation behind ensuring the use of secure wireless solutions which enforce WPA/WPA2. Newer access point technologies provide organizations with increased bandwidth, quality of service filtering, better management, and rogue access point detection.
Encryption and key management: Requirements 3.4-3.6
If your organization chooses to store cardholder data electronically, it must do so via an encrypted means that adheres to what many call PCI's most challenging requirements, encryption and key management controls. Adhering to this standard is trying; more often than not encryption appliances or encryption specific software is purchased to handle the numerous enterprise applications that both read and write cardholder data from information stores. The benefit of such a solution is that these appliances and software solutions can be used to encrypt any sensitive information inclusive of social security numbers, personnel records, intellectual property, and health and customer records.
Training: Requirements 12.6, 12.9.4
Perhaps the biggest complaint I hear amongst security practitioners is the lack of training that they are afforded on an annual basis. Economic pressures are forcing nearly all organizations to cut back on "discretionary" costs. First to go for many organizations is security training for IT staff and general security awareness for all personnel. PCI has an answer to this in Requirement 12.6 and 12.9.4.
Requirement 12.6 mandates a formal security awareness program for all employees that have access to, or handle cardholder data. Some of the most successful training materials can be delivered via PCI workshops and Web training modules. There are several security vendors that have effective pre-built Web training modules for dissemination to geographically diverse organizations.
Requirement 12.9.4 stipulates that all incident response staff attend an appropriate training for fulfillment of their duties. The most effective training will often come from outside organizations. Not only will formal incident response/security training help your organization in the event of a security incident, but it can do wonders for the morale of your security staff.
Other requirements that can be leveraged as justification for investment in security tools and or training:
- Email encryption: Requirement 4.2
- Separate test and development requirements: Requirement 6.3.2
- Formalize security policies: Requirement 12
- Penetration testing services: Requirement 11.3
This list is not exhaustive; a deeper dive into the PCI requirements and how they may help justify your security expenditures in the coming quarters and years is something that all security practices should engage in. When preparing your budget for review, it's important to note that many of these security tools will improve an organizations security posture while creating operational efficiencies.
About the author
Spyro Malaspinas, CISSP, CISM, CISA, GCIH, CCNA, CSPFA, CCSE+, NSA, Six Sigma, is a Principal at ThreeFactor Security and can be reached at spyrom@threefactor.com. Spyro formerly served as the PCI Practice Leader at Symantec, a Sr. Security Consultant at VeriSign, and Security Architect at IBM. He has been performing compliance assessments, remediation, Risk and Compliance Program Management functions for some of the largest merchants and service providers found globally.
