Merchants Cope With PCI Compliance

PCI compliance

These days, you can’t look far without seeing a vendor offering solutions that comply with Payment Card Industry Data Security Standard (PCI-DSS) 6.6.

One of 12 Payment Card Industry, or PCI, requirements, PCI-DSS 6.6 aims to ensure that data entered from untrusted environments into Web applications is fully inspected.

To secure transactions by debit and credit cards, the regulation requires merchants to conduct application code reviews and install Web application firewalls.

Up until now, implementing PCI-DSS 6.6 was optional, but it becomes mandatory June 30.

Although PCI regulations are meant to enhance security at organizations that accept credit and debit cards, they are just part of the overall security puzzle. Finding the right approach is key.

“Compliance doesn’t necessarily equate to good security, but good security does equate to PCI compliance,” said Mike Puglia, director of product marketing at Veracode, which provides static code analysis and dynamic application security testing in software as a service, or SaaS , mode.


Risk management

A major approach to data security involves risk management. A lack of it could further hammer an enterprise already reeling from a data breach.

Risk management embraces everything from calling in the police and having IT staff race to the datacenter to having PR people ready to offer favorable spin on what has happened.

TJX (NYSE: TJX), the Massachusetts-based operator of discount retail clothing chains such as T.J. Maxx and Marshalls, found out firsthand why risk-management planning is critical.

Between 2004 and 2007, the company suffered a security breach that compromised almost 46 million credit- and debit-card numbers.

In addition to the millions of dollars it lost because of the breach, TJX found itself in trouble with the Maine department of motor vehicles (DMV). According to Puglia, 30,000 applicants sought new driver’s licenses in one week because the TJX breach compromised their old ones.

Puglia recommends enterprises set up a process to notify anyone who will be impacted if a breach occurs, whether inside or outside of the enterprise.

Even if a company has risk-management processes in place and is in compliance with PCI, that doesn’t mean much in the larger scheme of things; in fact, being fully PCI compliant could reduce overall enterprise security.

“There are instances where being PCI compliant can actually downgrade your security posture, depending on the size of your organization,” Jack Phillips, co-founder and managing partner for research group Institute for Applied Network Security, told InternetNews.com.

For example, many retailers redesigned their IT architecture to create zones that didn’t interact with each other, to comply with the PCI requirements, but knowledgeable users whose work required they interact with applications in various zones “went around some of the zones and security mandates and software,” Phillips explained.

That has led to a backlash from IT security, which is now refusing to compromise overall security.

“Some of the security professionals are realizing they’ve been so focused on the technical details that they’ve lost touch with the larger behavioral and policy issues that security is really about,” Phillips said.

“IT’s saying it’s not going to sacrifice common sense security, just get 100 percent PCI compliant.”

That could lead to problems for management because “IT security professionals are eager to tell senior management they’re 100 percent PCI compliant” but aren’t sure whether or not their companies will be fined for noncompliance when a breach occurs, Phillips said.

“Ultimately something you never thought of could be the cause of some sort of breach, and the key is mitigating and lowering the exposure, whether it be with the issuers at the PCI level, with the customers, with the banks, or with the federal government,” Phillips said.

“The craft of information security has quickly been transformed from a technical craft to risk management,” Phillips added.


Next page: Holistic view


Page 2 of 2


Holistic view

Because security involves more than just passing PCI audits, enterprises should take a holistic view of their security efforts. Implement proper security measures throughout the organization from the start rather than just patch in PCI compliance.

“The biggest concern we have is that people will get this false sense of security thinking they’ve passed the audit and that’s enough,” Taylor McKinley, product manager for Fortify Software, told InternetNews.com.

“You need to build your applications properly, secure them, test them and then make sure they remain secure,” McKinley explained. “Then you put in mechanisms to alert you, so if something happens, you can react quickly.”

The process is an analogy to how architects implement security for a building, said McKinley, whose company offers application life cycle security and source-code analysis tools.

He continued: “You look at the blueprints and make sure there aren’t any holes people can get into; then you put in your security tools — the locks on doors, the alarms — then you put in TV cameras and monitor the building to make sure nobody breaks in.”

That sounds good, but, as any cop will tell you, there’s no such thing as a building that can’t be broken into. Any application or computer system can be hacked if someone wants to badly enough.

“It’s not possible to achieve perfect security,” Danny Allan, director of security research for IBM’s Rational software line, told InternetNews.com. “You want to implement practices and software and approaches that make an organization secure enough.”

“The PCI standard is not about making things perfectly secure, it’s about giving a level of assurance,” Allan added.

He recommended that enterprises don’t just look at what the security problems are, but why they appear. “Security issues change, if not daily, at least monthly or early, but why they appear hasn’t changed — at least in the 15 years I’ve been in the business.”

Knowing why security issues appear helps developers write good code. “The why focuses on what doesn’t change, and that’s best practices for writing high-quality code,” Allan said.


Know your system

“More often than not, retailers don’t know how their POS system works, it’s a black box,” said John Dasher, director of product management at PGP, which makes e-mail and data-encryption products.

Find out if the system encrypts the data it keeps on the hard drive that is sent back to the head office daily.

Merchants must remember that their minimum-wage employees have access to all the data transmitted to the head office daily, which could open the door to a security breach.

“There isn’t rigorous analysis over the life cycle of that data; leading companies look at the system head to toe and not just at one spot,” said Dasher, whose company delivers an integrated encryption framework.

“Don’t just shoot from the hip and buy a product to solve a particular problem; look at where the data’s stored, whom it’s transmitted to, where it’s archived.”

While retailers should look at their entire enterprise data protection strategy, from cradle to grave, they shouldn’t wait until their assessment is completed before putting in solutions.

“Don’t sit around and boil the ocean before you start moving forward,” Dasher said, adding that straightforward technological options that can help solve the problem,” Dasher said.

For example, putting encryption on devices in retail outlets is a good start while you are assessing your IT systems. “You have to be both strategic and tactical simultaneously,” Dasher explained.

As part of the tactical approach, use some sort of automated tool on your code to identify as many security problems as possible and fix those before applying any sort of PCI solution, Qualys PCI solutions manager Sumedh Thakar told InternetNews.com.

Once that’s done, you can take more detailed actions such as reviewing sections of your code.


Next page: Centralized approach

Page 3 of 3


Centralized approach

When implementing PCI solutions, take a centralized approach rather than opt for point solutions, because each point solution will produce its own set of logs, Cheryl Traverse, Xceedium’s president and CEO, told InternetNews.com.

Make sure you automate everything as far as possible because, the “the more you do that can’t be automated, the less likely you are to be in compliance,” Traverse said.

“You want best practices that are cost-effective to implement and maintain,” she added.

IT departments at retailers should also secure their internal systems because “a joint FBI-CERT (Computer Emegency Response Team) study showed 86 percent of all insider attacks came from a current or former tech user,” Traverse said.

After you’ve examined your systems, assessed them and bought the necessary technological solutions, make sure you have processes in place to deal with security gaps and breaches, Mark Kraynak, senior director of strategic marketing at Imperva, told InternetNews.com.

“Technology can only do so much; every time you talk about security, you need to have awareness of your systems and processes in place, and you need technology to help.”

Finally, you have to create, communicate and enforce security policies.


PCI Solutions

“It’s not enough to just come up with security policies and tell your staff about them,” PGP’s Dasher explained. “You must also make sure they comply.”

When you do so, look at the most important applications first, such as your payment applications. “Start with something where you get the most bang for your buck,” Thakar said.

Qualys provides IT security risk and compliance management solutions in SaaS mode.

Meanwhile, Xceedium’s flagship GateKeeper hardened appliance offers centralized encryption of enterprise connectivity so applications can talk securely to each other.

It also compartmentalizes users into their authorized zones and contains them there. Finally, it monitors policy violations, issues alerts when policies are violated and remediates the violations.

Imperva offers a Web application firewall that it is integrating with vulnerability scanners from Hewlett-Packard (NYSE: HPQ), IBM (NYSE: IBM), Cenzic and other vendors.

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web