Sunday, August 8, 2010

PCI DSS 1.2: Changes, best practices and tips

PCI DSS is a global information security standard consisting of 12 different requirements – assembled and released by the Payment Card Industry Security Standards Council (PCI SSC). It was created to assist organizations that hold, process or pass on credit card information to help in preventing credit card fraud.

This particular blog post will detail some of the differences between PCI DSS 1.1 and 1.2, and offer several best practices and four useful tips in consideration of obtaining and maintaining PCI DSS compliance. Changes are in the works for DSS, with a formal announcement coming in the fall,

Below are some of the key changes from PCI DSS v1.1 to v1.2:

■Incorporates existing and new best practices

■Provides further scoping and reporting clarification

■Eliminates overlapping sub-requirements and consolidates documentation

■Enhances the frequently asked questions (FAQ) and glossary to facilitate understanding of the security process.

Wireless network changes from v1.1 to v1.2:

■Requirement 4.1.1.

■In v1.1 there were provisions for WEP (Wired Equivalent Privacy) which is a weak encryption.

■Removing the requirement for disabling SSID broadcasts is new in v1.2.

Anti-virus requirement differences:

■In v1.2, there is a clarification regarding the use of anti-virus software – namely that it applies to all operating system types

■Requirement number 5.1.1 states: “Ensure that all anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software.”

Best practices:

■Constant vigilance: Knowing that there is no 100% guaranteed “silver-bullet” for network security companies. Instead, they must maintain constant vigilance of their security – from physical security to network configuration/security. A “set it and forget it” attitude in the security world sets false expectations of ongoing security.

■Network traffic anomaly detection

■Log analysis: Using software to correlate various security logs (e.g., firewall, web server, remote access) to spot trends

■Heuristic detection of malicious software: Heuristically detecting malicious software on critical systems that are connected to the vendor's network – not just the systems that handle customer data

■Implementing layered security: If one defense fails, the others have a chance of stopping the attack

■Patch management: Maintaining an effective patch management system, procedures, or both is a key security measure

Four useful tips (going beyond the checklist):

1. Compliance is not a one-time project – it is an ongoing process

a. One of the biggest dangers of the checklist is that it can't be viewed as a one-time project. It is an ongoing process of checking/re-checking the various security controls, as well as enforcing them. Companies should not consider themselves immune to attacks simply because they have achieved compliance.

2. End-to-end encryption (E3)

a. PCI DSS doesn't mention, or require, encrypting the data from the point at which the customer's card was “swiped.” This step will significantly reduce the value of data if it is intercepted.

3. Avoid the low-hanging fruit

a. People tend to go for the path of least resistance. For instance, if their network is unique in its design, and there is a new method of accessing data, and the checklist does not cover the new method, it might be glossed over and compliance would still be achieved. Scheduled reviews of a company's PCI DSS compliance will help ensure that as technology and networks continue to progress, new threat vectors are addressed. For instance, Requirement 5 of the PCI DSS states that for compliance a vendor must use and regularly update anti-virus programs. As there are varying levels in the quality of anti-virus software, a vendor could choose to implement a low detection/high false-positive anti-virus program and have a fairly ineffective anti-virus application running on their systems.

4. “Chain of events” or the “error chain”

a. As in the aviation world, when there is an accident it is referred to as a “chain of events” or the “error chain.” These terms simply mean that multiple factors, rather than a single one, lead to an accident. The same can be said for security incidents, such as data leakage.

Resources:

■PCI Security Standard Council web site: https://www.pcisecuritystandards.org/

■PCI DSS v1.2 Requirements and Security Assessment Procedures: https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html

Do you have additional best practices, tips or observations? You can also share your experiences regarding PCI DSS – experiences, challenges, benefits or any other comments regarding your company and credit card security.

1 comment:

  1. Defining & designing the IT policy & Adhering to it yields Good Results in offices & industries.

    ReplyDelete