PCI DSS: Securing Control

Much has been made of the Payment Card Industry Data Security Standard (PCI DSS) and unless you understand technology, this could be a lot of gobbledegook. A lot of information is available on PCI Security Standards Council website, but in a nutshell, PCI DSS applies to any organisation that processes, transmits and/or stores cardholder data. PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organisations proactively protect customer account data.

To be fully compliant, organisations must satisfy all 12 PCI DSS requirements1 categorised in six categories including:

Build and maintain a secure network

This is a no-brainer for any chief information officer (CIO). By using network security controls, PCI DSS-compliant organisations can prevent criminals from virtually accessing payment system networks and stealing cardholder data. Key technologies that CIOs and network managers consider are firewall devices that can control traffic both in and out of the network, particularly into sensitive areas where cardholder data is stored. This includes access from static end points, such as desktop PCs, to mobile ones, including laptops and smart phones.

For organisations that have firewall, it is important that (security) vendor-supplied passwords and security parameters are changed. Hackers often leverage such default vendor settings to hack into the system.

Protect cardholder data

This data includes any information that is printed, processed, transmitted or stored on a payment card. Generally, only limited information that is necessary for the business run by the PCI DSS-compliant organisation should be stored. Anything more than this, including sensitive authentication data after authorisation, should not be stored by the financial organisations and retailers without putting strict security elements in place. As guardians of its customer data, it falls to the organisation to continuously keep track of its cardholders’ data to ensure that it takes the security steps needed to protect from misuse at all levels – both internal and external. Encryption of any and all transactions by the cardholder is key to protecting the data from being read by any unauthorised persons.

Maintain a vulnerability management programme

A vulnerability management programme is the process of systematically and continually locating weaknesses in the infrastructure system. This includes anything from security procedures to internal controls that can potentially be exploited to access the data.

This could rnge fromsomething as simple as an anti-virus software that has not been updated to maintenance of more sophisticated security systems and applications. Although in the main, this is almost automatic with most products and solutions in the market, it is important to ensure that updates occur across the whole network at the same time to avoid any gap in the system.

Implement strong access control measures

In addition to infrastructure security, access control to cardholder data is key to ensuring its protection. This includes physical security as well as digital security in terms of access to cardholder data granted on a business need-to-know basis. This means that, at any time, network users will only have access to the minimal data that is required to get a job done.

Regularly monitor and test networks

Like the vulnerability management system, network managers need to regularly monitor and test their networks to find and locate any weaknesses and fix these vulnerabilities.

Maintain an information security policy

Most network managers and CIOs have security built into their network infrastructure but quite often have no clear policies governing this. As businesses grow and evolve, a good network security policy would ensure that all eventualities are covered, from who has access to what in the network, to external and internal threats to the network. These need to be revisited and updated as well, to ensure continuous compliance with international standards clearly outlined by the PCI Security Standards Council.

Global security players are focusing on sharing information and tools with the Middle Eastern PCI to guide senior (non-technical) managers painlessly through the procedures and help them comply to global standards. FVC, representing several of these players, hosts regular seminars to not only promote its own vendor solutions but offer clear guidelines on all aspects of the PCI DSS compliance. In addition to financial institutions and retailers, key industries that FVC have addressed in the region include hospitality, e-government and travel sectors.

Each session by FVC shared information regarding direct and indirect financial losses such as financial penalties, image depreciation, operations disruption, etc, along with its effect on deadlines and compliance. The seminars also examine operational and technical information, security initiatives to secure customer information; methods of establishing a balance between costs of compliance and overall benefits; and information on cutting-edge security technologies that provide rapid remediation on identified technological and procedural gaps.

1PCI Security Standards version 1.1 – http://www.PCISecurityStandards.org.



Related reading