Is Your Organization PCI Compliant?
Author: Alex Douds
PCI DSS, which stands for Payment Card Industry Data Security Standard, is a set of 12 specific requirements that cover six different goals. It's prescriptive; providing guidance for organizations to become secure and protect their customer’s credit card data in accordance with PCI DSS. It's more about security than compliance. The goals cover topics such as, build and maintain a secure network, protect card holder data, and regularly monitor and test the networks.
Most organizations think they are doing everything necessary to be PCI compliant and are adequately prepared, whether for their first PCI audit or their fifth PCI audit. But are they really? A PCI audit, usually performed by a Qualified Security Assessor (QSA), is trained by the PCI Counsel and licensed to conduct these audits.
Experienced QSA’s, such as Freed Maxick, know that there are six areas or “stumbling blocks” around which organizations need to be particularly vigilant in order to design or maintain the proper controls to achieve and maintain PCI Compliance. We’ll start with the least common problem andwork our way to number one on the hit list!
So What Does Your Business Need To Watch For?
(6) Lack of Security Awareness and Training: The ugly truth about data breaches is that it’s not so much a matter of if you’ll be a target, but when. The 2008 Study on the Uncertainty of Data Breach Detection in the U.S. by the Ponemon Institute concluded that approximately 80 percent of businesses in this country have been hit at least once by a data breach. According to the Ponemon Institute, there are three main causes for a data breach: personal negligence, which accounts for 40 percent of data breach cases; system glitches (36%) and malicious/criminal attacks (24%). Small and mid-sized merchants often lack the awareness, security background and resources that larger businesses and corporations can muster to execute an effective security awareness training program to combat these threats. Annual and on-going Security Awareness Training is critical to meeting the requirements of the PCI Data Security Standards (PCI DSS).
(5) Not Monitoring Computer, and other systems, for Intrusions and Anomalies: Software and hardware exists to help businesses track normal functionality and anomalies within their computer systems; detecting computer intrusions and misuse by monitoring system activity. In order to determine what “attack traffic” is, the system must be taught to recognize normal system activity in order to minimize false positives. In addition, you must place intrusion detection at both the perimeter and critical points, to monitor all traffic within your PCI environment. Many organizations neglect to monitor critical points within their PCI environment, resulting in problems with their PCIcompliance. The Freed Maxick technology consulting team can help your organization identify what monitoring systems need to be put into place and provide consulting, as QSA’s, to ensure you meet the intent of this standard.
(4) Not Encrypting Data: Encrypted data is unreadable and unusable to a system intruder without the proper encryption keys. Many businesses make the mistake of storing cardholder data when it’s not absolutely necessary, or storing card holder data without proper encryption. Other “don’ts” include- not storing the three digit validation code on the back of a holder’s card. Do not have PED terminals print out personally identifiable payment card data (printouts should be masked). Do not store payment card data in payment card terminals. Do not permit any unauthorized people access to stored card holder data.
Merchants should develop data retention and storage policies that strictly limit storage amount and retention time for only what is required for business, legal, and regulatory purposes. You should also understand where your payment card data flows for the entire transaction process. Use strong cryptography to render unreadable cardholder data that you store. You can verify payment application compliance through the Payment Application Data Security Standard.
(3) Storing Too Much Data: Many clients have questions around what card data can and cannot be stored. More specifically, can CCV and CCV2 card information be stored? The simple answer is “no.” According to PCI DSS requirement 3.2, the storage of sensitive authentication data after authorization is strictly prohibited. Even if the data is encrypted, it is still not allowed. The requirement goes into more detail, stating that you should not store the card-verification code, or the three or four digit codes on the back of the payment card, which is used to verify card-not-present transactions. When businesses are unaware of how much data their systems are storing they are less likely to be PCI compliant.
(2) Not Understanding the Flow of Data: A key to PCI Compliance is for the organization and the organizations QSA to understand the flow of data, including what card data is stored and encrypted. In order to truly understand what data should and shouldn’t be stored, organizations should understand the flow of data; where it goes, how it gets there, what wireless networks are connected to cardholder data, how it’s processed, and how it’s transmitted. Network documentation is extremely valuable to a QSA. Documenting card data flow on top of the network diagram can serve to be invaluable. Documenting this data flow on a network diagram can help a company come to a unified and clear understanding of where card data is stored, processed or transmitted within their environment as well as identify all supporting and connected systems and devices.
The number one problem on our PCI Compliance hit list is……
(1)Not Appropriately Segmenting Network Infrastructure that processes, transmits, or storesPCI Data: A critical step for any organization to ensure that they minimize the heavy cost of PCI Compliance is network segmentation of the PCI network or card holder data environment (CDE) from the rest of the organization’s IT infrastructure. Segmentation follows the commonly used strategy of minimization: store as little sensitive data in as few locations as possible and allow access to those who absolutely need it. The PCI DSS encourages all organizations to segment their networks “through internal network firewalls, routers with strong access control lists or other technology that restricts access to a particular segment of a network.” Like most standards, it provides a “high level” goal while still offering flexibility in implementation. The relevant PCI DSS section reads: “At a high level adequate network segmentation isolates systems that store, process, or transmit cardholder data from those that do not. However the adequacy of a specific implementation of network segmentation is highly variable and dependent upon such things as: a given network’s configuration, the technologies deployed, and other controls that may be implemented.”
All organizations should work with a QSA to verify that they have proper PCI network segmentation in place prior to their initial PCI audit or anytime a significant change is made to an existing PCI segmented network. Network segmentation gives the organization greater security and monitoring by reducing the scope of their CDE to a limited area on the network infrastructure. Even more importantly, it can drastically reduce the scope of the PCI audit and therefore increase an organization’s likelihood of having a successful PCI audit.
Freed Maxick is here to help!
At Freed Maxick, we understand you face unique challenges in assessing the effectiveness of your technology. With this in mind, we offer a customized, flexible approach that’s based on your needs. We can give you senior-level attention and personalized service. Our technology consultants have experience across a number of industries that often yield opportunities to increase productivity and reduce costs. And if you contact us today we can offer a reduction in price on a quarterly self assessment scan!