RealTime IT News

Merchants Cope With PCI Compliance - Page 2

Page 2 of 2

Holistic view

Because security involves more than just passing PCI audits, enterprises should take a holistic view of their security efforts. Implement proper security measures throughout the organization from the start rather than just patch in PCI compliance.

"The biggest concern we have is that people will get this false sense of security thinking they've passed the audit and that's enough," Taylor McKinley, product manager for Fortify Software, told

"You need to build your applications properly, secure them, test them and then make sure they remain secure," McKinley explained. "Then you put in mechanisms to alert you, so if something happens, you can react quickly."

The process is an analogy to how architects implement security for a building, said McKinley, whose company offers application life cycle security and source-code analysis tools.

He continued: "You look at the blueprints and make sure there aren't any holes people can get into; then you put in your security tools -- the locks on doors, the alarms -- then you put in TV cameras and monitor the building to make sure nobody breaks in."

That sounds good, but, as any cop will tell you, there's no such thing as a building that can't be broken into. Any application or computer system can be hacked if someone wants to badly enough.

"It's not possible to achieve perfect security," Danny Allan, director of security research for IBM's Rational software line, told "You want to implement practices and software and approaches that make an organization secure enough."

"The PCI standard is not about making things perfectly secure, it's about giving a level of assurance," Allan added.

He recommended that enterprises don't just look at what the security problems are, but why they appear. "Security issues change, if not daily, at least monthly or early, but why they appear hasn't changed -- at least in the 15 years I've been in the business."

Knowing why security issues appear helps developers write good code. "The why focuses on what doesn't change, and that's best practices for writing high-quality code," Allan said.

Know your system

"More often than not, retailers don't know how their POS system works, it's a black box," said John Dasher, director of product management at PGP, which makes e-mail and data-encryption products.

Find out if the system encrypts the data it keeps on the hard drive that is sent back to the head office daily.

Merchants must remember that their minimum-wage employees have access to all the data transmitted to the head office daily, which could open the door to a security breach.

"There isn't rigorous analysis over the life cycle of that data; leading companies look at the system head to toe and not just at one spot," said Dasher, whose company delivers an integrated encryption framework.

"Don't just shoot from the hip and buy a product to solve a particular problem; look at where the data's stored, whom it's transmitted to, where it's archived."

While retailers should look at their entire enterprise data protection strategy, from cradle to grave, they shouldn't wait until their assessment is completed before putting in solutions.

"Don't sit around and boil the ocean before you start moving forward," Dasher said, adding that straightforward technological options that can help solve the problem," Dasher said.

For example, putting encryption on devices in retail outlets is a good start while you are assessing your IT systems. "You have to be both strategic and tactical simultaneously," Dasher explained.

As part of the tactical approach, use some sort of automated tool on your code to identify as many security problems as possible and fix those before applying any sort of PCI solution, Qualys PCI solutions manager Sumedh Thakar told

Once that's done, you can take more detailed actions such as reviewing sections of your code.

Next page: Centralized approach