A new approach to PCI DSS compliance

A new approach to PCI DSS compliance

Tags:    compliance   PCI DSS

By George Chang, Regional Director, Southeast Asia & Hong Kong, Fortinet | Aug 29, 2011

In the past few months, we have witnessed the extraordinary lengths cybercriminals would go to breach target networks and steal valuable data for monetary or competitive gain. This phenomenon is particularly apparent in the world of electronic commerce, where full account details of credit card users are sold for a premium on the black market.
 
Fortunately, the principal stakeholders in the card payment ecosystem have defined a standard that has proven to be highly effective, albeit not infallible, at protecting data from such breaches. Over the past five years, the PCI-DSS framework has evolved from being guidelines without enforceable sanctions to a ‘must-have’ certification to remain in the business of manipulating, storing or transmitting cardholder data.
 
Despite its seemingly narrow focus on cardholder data protection, PCI-DSS spans most IT disciplines and skills, namely the network, database, web applications, file systems, encryption and core security-related processes, such as vulnerability and configuration management. As a result, the cost of implementing compliance has been alarmingly high, bringing into question the applicability of the standard in terms of risks versus costs.
 
Earlier this year, the Ponemon Institute conducted a study in the U.S. on the actual costs of compliance among 160 enterprises, including 46 international ones. The results of this study showed that, for mid-size organizations, the total cost of compliance with regulations such as PCI-DSS, SoX, HIPAA and others, would weigh-in at an average of $3.5 million, while the consequential cost of non-compliance was estimated at $9.4 million. While these figures illustrate a sizeable benefit for investment, the cost burden remains too great compared to the exposed risk for the majority of organizations where PCI-DSS is a requirement.
 
So, what strategies can be employed to reduce the complexities and costs of a PCI implementation? What are the principal concerns to consider in terms of PCI implementation? 
 
PCI-DSS is multi-disciplinary. Fortinet believes that to fully comply with the standard, it is essential to take a global consolidated approach to address all 12 requirements as a whole before focusing on solving individual elements. The core IT disciplines to be considered are: Networking – Fixed; Networking – Wireless; Data and Databases; IT Assets/End-Points; and Web Applications.
 
1. Network − Fixed
The PCI core requirement covers controlled network segregation, inbound/outbound traffic flows and DMZ implementation. Specific functions include: real-time perimeter anti-virus, IPSec/VPN tunneling support, IDS/IPS, use of strong cryptography (SSL/IPSec), default ‘deny-all’ settings, support of digital certificates and two-factor user authentication, event monitoring, federated device management and reporting, and network vulnerability analysis support. These services cannot be provided by a legacy firewall, even a so-called next-generation firewall. The only way to cost effectively provide all these services and avoid the deployment of multiple devices is through the use of a Unified Threat Management (UTM) device. A UTM-based solution can help organizations cover all fixed network requirements of PCI while achieving greater overall PCI effectiveness and simultaneously minimizing implementation and operational costs.
 
2. Network − Wireless
In many ways, the wireless network is subject to the same constraints as the fixed network but it must also meet the following other key functions:
 
  • Support for both ‘thick’ and ‘thin’ access points (AP) solutions that can work in a seamless management framework
  • Detection of rogue APs against a defined hardware inventory
  • Support and logging of wireless IDS/IPS
  • Support for WPA or WPA2 Enterprise mode with 802.1X authentication and AES encryption
 
In practice, the best approach in larger deployments is to minimize the deployment of thick APs, which have wireless control/IPS, etc., built into the physical devices, and favor the deployment of thin APs access points, which are much easier to manage and maintain. Thin APs tunnel wireless traffic to wireless controllers, allowing significant economies of scale and a simplified security management capability through a 'single pane of glass' management console for increased visibility and policy enforcement.
 
3. IT Assets / Endpoints
IT assets include servers, desktops, laptops, operating systems, mobile devices and network equipment. The core objective is to ensure that all assets that constitute the PCI cardholder data environment are subject to the core security management processes. Here, in order to have the most effective approach in meeting the PCI-DSS requirements at minimal cost and complexity, it is important to consider the management of deployed endpoint security technologies and controls. The top 5 elements on the check list are:
 
  • Support for asset vulnerability management to ensure that all operating systems are patched to the latest version and to assess configuration specific vulnerabilities
  • Configuration management capability against globally accepted best practices for operating system platform deployment (e.g. NIST and FDCC)
  • Endpoint policy control to blacklist/whitelist software, processes, devices, drivers, access lists etc 
  • Automated remediation of configuration and audit issues for cost-effective operation
  • Deployment of client/mobile device anti-virus, preferably centrally administered
4. Data & Databases
It is impossible to comply with PCI-DSS without implementing a database security solution to protect against data loss or fraud. Whether due to an error or a deliberate intent to harm, data loss can have serious consequences. In order to meet PCI-DSS compliance, a database security solution must include: 
  • Database-specific vulnerability assessment and penetration testing
  • Configuration management for assessment against global best practices and/or the organisation’s own data security standards
  • Access control assessment both at the database and the application levels
  • Real-time monitoring of database users and their activity on both the database and critical cardholder data 
In order to simplify the creation and enforcement of data security policies that will help meet PCI-DSS compliance, it is important to look for a centrally-managed database security solution that provides all of the above features on one device. Enhanced solutions include features such as automatic database and sensitive data discovery. Further desirable functions include pre-built policies that cover standard industry and government requirements that when combined with a comprehensive set of graphical reports deliver out-of-the-box readiness and immediate value for PCI-DSS compliance.
 
5. Web Applications
As web applications are particularly exposed to the outside world, the PCI-DSS standard addresses them in detail in requirement 6.6. There are two methods that a company can apply in order to be in compliance with PCI DSS: a) conduct yearly code reviews or b) deploy a Web application firewall. While code reviews/testing are essentially process in nature, a significant cost saving can be made through the implementation of a Web application firewall. The key functions that should be included in such a solution are:
  • Support of OWASP Web security guidance, cross-site scripting (XSS) and cross site request forgery (CSRF) vulnerability protection
  • Support for DoS, buffer overflow type attacks at both the HTML and HTTP level
  • Access control and web application user authentication
  • Monitoring and management of error events
  • Incorporation of a web application vulnerability scanning capability for regular internal scans
The multi-disciplinary nature of PCI-DSS creates complexity and, consequently, organizations have no choice but to deploy a combination of security devices to fully address the requirements of the standard. It is critical to take a consolidated approach in order to improve performance, security and reduce cost. In fact, using a large range of solution vendors results in a wide array of disparate products and services introduced into the PCI solution, with the consequence of spiraling complexity (in terms of support, maintenance, resource training, etc.) and total cost of ownership. Minimizing the number of vendors to work with, to a single one if possible, is the only way to dramatically reduce Opex and Capex while removing complexity from implementation and management. A common platform provided by a single vendor will also enable organizations to enhance their security posture, coverage and visibility for a lower overall risk of PCI project failure.

Similar

Related Articles

Add comment

Post a Comment

The content of this field is kept private and will not be shown publicly.
Verification Code
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
 

Similar

Related Articles

knowledge_central_tab

 
 
Knowledge Central
Trusted Mobility Index
The mobile ecosystem of devices, services and networks is at a critical inflection point.While the mobile revolution is unleashing massive opportunities in both emerging and mature economies, it is also increasing in complexity and confusion. The reality is the lightning-fast adoption of powerful, smart devices is outpacing society’s ability to secure them. Today, trust in mobility hangs in the balance.
The state of the Internet, Q4, 2011
Geography appears to play a role in frequency of observed attacks on specific ports. For example, Port 23 (Telnet) is a favorite target for attacks observed to be originating from South Korea and Turkey, where it accounted for more than five times the number of attacks targeting the next most popular port (445 in both countries). Other instances of geography-based port targeting include observed attacks centered on Port 1433 (Microsoft SQL Server) in China and on Port 80 (WWW/HTTP) in Indonesia.
 
 
 
HID Global deploys a centralized, web-based IP access control solution at Fuxi Power Plant
Unable to meet the needs for real-time monitoring with its traditional patrol system, China's Fuxi Power Plant has deployed HID Global's VertX V2000.
StubHub: How to spot fraud before it happens
Whenever a list of log-on credentials is dumped onto the Web, retailers get hit with waves of automated attacks. Here's how ticket marketplace StubHub fights the threat.