Password creation policies are the enemy of secure... » Commenting on reports that a security developer has concluded that password-creation policies are th... Thousands of Young Adventurers kept safe with M2M ... » Thousands of teenagers taking part in the annual two-day Ten Tors Challenge across Dartmoor in Devon... avast! Free Antivirus for Mac tops CNET’s download... » PRAGUE, Czech Republic: Three days after its release avast! Free Antivirus for Mac shot to first pos... USB-Tischmikrofone von Imtradex gewährleisten schn... » TM2-LS und TM3 verbinden innovative Technik mit einfacher Handhabung Dreieich: Schnelle und einfach... Opengear wins Information Technology Industry’s 20... » Opengear ACM5504-5-G-I Remote Infrastructure Management Gateway Honored at Interop Interop, Las Veg... ISACA Speaker urges IT candidates to shift career ... » In-depth discussion to be held at INSIGHTS 2012 London, UK: Recruiting in the technology sector is ... Venafi hails FBI’s hotel-network security warning ... » London: “Everyone with an Internet connection has a stake in understanding the critical links in the... Is loaphobia causing workers to fear losing their ... » 19% missed a critical deadline because they couldn’t access the right applications, 14% lost a job a... Whoopee! £38 billion blackhole in Defence budget e... » Vigilance can report that the MoD’s budget deficit has been wiped out for the first time in a genera... Media Alert: DDoS tool (LOIC) downloads increasing... » Imperva's Application Defense Centre has been tracking the Anonymous DDoS tool, LOIC, and the number...

Our Guest Columnists

John Walker
Professor John Walker is the owner and MD of Secure-Bastion Ltd, a specialist Contracting/Consultancy in the arena of IT Security Research, Forensics, and Security Analytics. READ MORE >>

YORGEN EDHOLM
Yorgen Edholm is President and CEO of Accellion, a pioneer and leading provider of secure file transfer and collaboration solutions. READ MORE >>


Faitelson
Mr. Faitelson is responsible for leading the management, strategic direction and execution of the Varonis vision.
READ MORE >>

 

Mike Small

 

Mike Small has over 40 years experience in the IT industry. He is an honorary fellow analyst ....

READ MORE >>

Andy Cordial

Andy Cordial, managing director of secure storage systems specialist Origin Storage ...
READ MORE >>

Paul Steiner
Dr Paul Steiner joined Accellion in 2001 as Senior Vice President-Europe...
READ MORE >>

Durbin

Steve Durbin is Global Vice President of the Information Security Forum (ISF). He has served as an ...
READ MORE >>

David Gibson

David Gibson has been in the IT industry for more than fifteen years, with a breadth of experience in data governance, network management, network security, ..

READ MORE >>

Jane Grafton

Jane Grafton has more than twenty years experience in domestic and international sales, marketing and business development.

READ MORE >>

Mr Dimitriadis

Christos K. Dimitriadis, CISA, CISM, is the chief information security officer of INTRALOT S.A, a multinational supplier of integrated gaming and transaction processing systems based in Greece, ...

READ MORE >>

Philip Lieberman

Philip Lieberman, the founder and president of Lieberman Software, has more than 30 years of experience in the software industry.

READ MORE >>

Jon Mills

Jon Mills is the managing director and general manager of SEPATON for Europe, Middle East and Africa (EMEA).

READ MORE >>

Dr Rustom Kanga

Dr Rustom Kanga is co-founder and CEO of iOmniscient, one of the pioneers in the field of Video Analysis.

READ MORE >>

How to become compliant with PCI DSS

Print PDF

Written by DAVID GIBSON | 07 March 2011

Whether you are a large retailer or a small internet boutique, if you accept credit cards you need to keep that information secure. It’s not just about compliance with The Payment Card Industry Data Security Standard (PCI DSS)— more importantly, you owe it to your customers. DAVID GIBSON, Director of Technical Services, Varonis Systems, takes us through the detail of PCI DSS compliance.

PCI DSS was developed as part of a collaboration by MasterCard Worldwide, Visa International, American Express, Discover Financial Services and JCB. Their efforts have culminated in the standard that serves as directive and guideline to help organisations prevent the misuse of credit card data.

Who Needs To Comply

All merchants and service providers who store, process and transmit credit card information must undergo quarterly self-assessments as well as audits (vulnerability scans) by an Approved Scanning Vendor (ASV) and in accordance with PCI DSS Scanning Procedures.

Large merchants (i.e. more than 6 million transactions per year for all outlets including e-commerce) and service providers (i.e. more than 1 million transactions per year) must also undergo annual on-site audits performed by a PCI DSS Qualified Security Assessor (QSA). The audit is inclusive of all systems, applications and technical measures, as well as policies and procedures used in the storing, processing and transmission of cardholder and credit card information.

What Is Considered Sensitive Data

Per the standard, the following information is considered sensitive:

  • Primary Account Number (PAN)
  • Cardholder name
  • Service code
  • Expiration date
  • Pin Verification Value (PVV)
  • Security code (3 or 4 digit)

In accordance with the standard, merchants or service providers are not allowed to store the PVV or the security code that uniquely identifies the piece of plastic in the cardholder’s possession at the time of the transaction. However, the PAN, cardholder name, service code and expiration date may be stored.

PCI Compliance Is More Than Just Securing Cardholder Information Within Databases

Many organisations naturally focus efforts for protecting cardholder information within databases, a challenge for which technical solutions abound. However, as breaches like Citigroup’s ** and Pfizer’s have shown, enterprises also face challenges controlling access to and dissemination of spreadsheets and documents that contain cardholder information. Exporting sensitive cardholder data out of databases is all too common, often done so that the information may be analysed as part of market research or be imported into other applications. In fact, 42 percent of enterprises hold customer data in spreadsheets as a matter of course according to Ventana Research ***, and these figures don’t include the individual users who conduct such exports on their own for business analytics or other purposes.

In the case of PCI, it is important to protect not only databases, but also file shares and SharePoint sites that house these spreadsheets and documents. Organisations need to implement a comprehensive system for not only finding the PCI information that resides outside of databases, but also for authorization, access control and auditing of all unstructured & semi-structured data stores. When file shares contain any of the PCI-designated sensitive information, organisations need to audit, review, and tighten up access to these shared networked resources as part of their PCI compliance efforts.

What Are The Costs/Risks Of Non-Compliance

Credit card fraud and misuse reaches into the billions of dollars annually. While the costs per incident may vary by merchant size, they include:

  • Loss of income from fraudulent transaction
  • Cost to reissue cards
  • Costs of investigation and possible litigation
  • Possible fines imposed by credit card companies
  • Loss of reputation, customer confidence and business
  • Possible loss of ability to accept credit cards for payment

PCI Compliance the Easy Way

There are five principles organisations need to address when seeking to comply with PCI DSS:

  • Continual identification of relevant data
  • A process to identify and revoke unwarranted access
  • A process to configure and review logical access controls
  • Proper separation of duties
  • Evidence that these processes are being followed

 

Logical access control objectives are based on the principal of least privilege; access should be granted to only those resources that are required to perform a user’s function. Many audit regulations now focus on proper access and use of unstructured data on file systems and SharePoint servers.

It stands to reason that wherever the organisation has permissions to write or read data, a data owner, or steward, should be designated to make decisions about who gets access, acceptable use, etc. Otherwise, decisions about that data are left up to members of IT, who have little organisational context about the data they are trying to manage and protect.

In order to identify an owner/steward, IT needs to know who is making use of data—analysing data usage over time provides actionable business intelligence on the probable data owner of any folder. Using these statistics, administrators can quickly see the most active users of a data container. Often, one of the active users is the data owner. If none of the active users is the business owner, he or she will likely work for the data owner, or at least know who the data owner is likely to be.

Data Owners/stewards need to be automatically involved in the authorisation workflows and reviews for their data. Automation should enable users to request access to data, route the requests to the data owner and other appropriate parties, execute the appropriate actions, and track each requests. Entitlement reviews, or attestations, should also be similarly automated and auditable.

While this may all seem an insurmountable task, software solutions are available to find PCI data, aggregate user and group information, permissions information, access information, and content information (which files actually contain PCI data) from directories and file servers. Sophisticated analytics can then be applied to reveal detailed data use, misuse, and determine rightful access based on business need. Using this intelligence, organisations can then:

  • Continually scan for PCI data (the audit trail enables true incremental scanning for only changed or modified files)
  • Protect data by removing overly permissive access controls
  • Ensure on-going compliance with automated entitlement reviews, and authorization workflows
  • Restrict unstructured data access to those with a business need for that data
  • Automatically update access controls to account for changes in roles and file server contents
  • Track and monitor file touches for each and every user
  • Alert on behavioural deviations that may signal a possible data breach

Surely the loyalty of your customers should be rewarded by securing their sensitive information.  A breach doesn’t just affect the person whose account has been emptied— it can affect your reputation if the violation can be traced to your door. Compliance is important, for every one in the chain, and it may be easier than you realize to not be the weak link.

David GibsonAbout David Gibson

David Gibson has been in the IT industry for more than fifteen years, with a breadth of experience in data governance, network management, network security, system administration, and network design. He is currently Director of Technical Services at Varonis Systems where he oversees product marketing and positioning. As a former a technical consultant, Mr. Gibson has helped many companies design and implement enterprise network architectures, VPN solutions, enterprise security solutions, and enterprise management systems. He is a Certified Information Systems Security Professional (CISSP).

 

**Citigroup Customer Data Leaked on LimeWire (2007): http://www.eweek.com/c/a/Security/Citigroup-Customer-Data-Leaked-on-LimeWire/

 

***Organisations Struggle To Manage Customer Data As Information Assets (2007):

http://www.itbusinessedge.com/cm/community/features/guestopinions/blog/organizations-struggle-to-managecustomer-data-as-information-assets/?cs=22600

Add comment


Security code
Refresh

Who can be our Guest Columnist?