Monday, November 23, 2009
PCI DSS checklist: Mistakes and problem areas to avoid
The Payment Card Industry Data Security Standard (PCI DSS) has been a world-changing experience for many midmarket businesses, retailers and credit card processors that previously had little or no regulatory oversight for security.
Breaking Down PCI for the Midmarket
PCI DSS: Building and maintaining a secure network: The first PCI focus area requires a set of documented configuration standards, perimeter and endpoint protection.
PCI DSS: Protect Cardholder Data: The second PCI DSS focus area spells out how organizations must secure cardholder data they store and transmit.
"PCI has been their baptism," said Steve Alameda, principal consultant of Data SafeGuard of San Francisco. "It's one heck of a way to get baptized."
Consultants who devote part or most of their activities helping smaller organizations -- mostly those with Level 3, 4 and some Level 2 requirements for self-assessment -- share some of the difficult lessons learned in the trenches.
Lesson 1: Don't Underestimate PCI
Astonishingly, there's anecdotal evidence that some smaller companies are still unaware they must comply with PCI. Level 4 merchants, those processing fewer than 20,000 transactions annually, are slower to get the word.
Assuming your business is not in that situation, you're facing requirements that are growing increasingly demanding. Self-Assessment Questionnaire D, which most covered organizations are required to complete, is far more detailed than what the questionnaire originally required in 2007. Most companies often turn to consulting help for a variety of reasons:
Lack of knowledge about their own environment. Small companies are wrapped up in doing business, not doing security. Once they realize what they have to protect and all the ways they might be exposed, light bulbs go off.
Inability to comprehend the requirements. Few small companies have security people and most have, at most, a small IT staff that lacks the time and/or expertise to understand and complete the assessment.
The requirements sink in. Organizations start out doing a self-assessment, then realize as they proceed they may have bitten off more than they can chew.
Nobody wants to get it wrong. No one wants to go to the president and tell him/her that after all the time and money spent, the company is still not compliant.
Companies think they have adequate security to meet the requirements. To most small businesses, that's desktop AV and a firewall.
his may also mean underestimating cost. Companies that do their homework, either internally or in combination with outside help, will have a realistic expectation of what they'll need to spend in terms of manpower, technology and services. For example, while they have AV and a firewall, chances are they have never given a thought to purchasing log management, IDS or file integrity-monitoring tools, let alone a Web application firewall.
Also, small companies, unlike enterprises or smaller organizations in heavily regulated industries, are not accustomed to refreshing equipment, such as point-of-sale systems, every few years. In many cases, they need to either upgrade or replace older equipment to become or remain compliant.
Companies do not, typically, anticipate they will have to make some fundamental changes in the way they do business. It's not a matter of tacking on security, even for the little guys. You may, for example, store credit card information in Excel spreadsheets. Now you need to convert all that information into databases and protect them.
"It's one of the hidden costs of PCI. I can't tell you how many businesses we walk into where they have paper records -- a warehouse of credit card receipts that's intermixed with invoices, etc." said Seth Peter, CTO of Minneapolis-based consultancy NetSPI. "One big area where companies underestimate costs is how do you stop doing that and how do you go back and clean it up?"
"They feel their environment is in pretty good shape, and don't think they'll need to make many changes," said Data SafeGuard's Alameda. "Then the reality hits that there will be a lot of changes." TechTarget