02 March 2017
Blogs by author: Tini Schuurmans, Tini Schuurmans, Principal Security Consultant, BT.
Discover Principal Security Consultant Tini Schuurmans’ three tips for ensuring your business is compliant with PCI DSS.
Complex card compliance.
Protecting cardholder data is an important part of creating trust between you and your customers. But it’s not just about delivering a better service. The Payment Card Industry Data Security Standard (PCI DSS) requires a certain level of compliance when it comes to securing your customers’ information. If you don’t meet this standard, you could face fines or even restrictions on your business.
Becoming compliant is a complex process, but I do have some advice which will help make your journey easier.
As an auditor (CISA and PCI DSS QSA) I have three principles:
1.Controls must be documented.
2.Controls must be implemented correctly.
3.Controls must be effective.
It’s only when all three principles are covered that I can safely say the control is in place.
Is the control documented?
If a control isn’t documented, it doesn’t exist. The response I often get in response to this requirement is that there’s no need to document controls because people know what to do — they’ve done it correctly for years.
This may be true for long-term employees, but what about new joiners? Seniors will train new employees, but there are always missing pieces and oversights. And over time, these mean that the control is no longer implemented as originally intended.
Another instance where this is an issue is inventories. I once visited a client’s data centre for an audit and saw a rack of old equipment, including a very old modem, in the corner. I asked my guide if he knew what the equipment was used for but he couldn’t answer, so we checked the inventory, and couldn’t find it there either.
It seemed to be old and forgotten equipment, but it was still connected to the network and a telephone line. Crucially, nobody seemed to be responsible for it. And as a result, this equipment was not kept up-to-date with patches and security controls — making it a huge risk for the client.
The bottom line: if it’s not documented, security is at risk. And so is compliance.
Is it implemented correctly?
This is a no-brainer, but I’ve seen many instances of security controls which had been implemented but which weren’t working. Case and point is where the anti-virus is correctly installed, receiving daily updates, and logging to an internal log server, but the daemon hasn’t been configured to start on boot — so after a first reboot the anti-virus doesn’t run.
Again, documentation is key here. It’s vital to make sure that all necessary steps in a security procedure are documented — and that the installation follows each of these steps correctly.
Is it effective?
If a control doesn’t do what it was intended to, it isn’t compliant. The best place to start is to check your log files. Do you see log entries from the security controls? Do the log records show what you expect them to?
Another way to check if the control is effective is to do exactly what should be prevented. For example, PCI DSS requires you to change all default accounts on the systems. So, to see if you’re compliant, you could:
◾Try to log in with the default user ID/password; is access blocked?
◾Try to log in with a correct user ID but a false password; is access denied and logged?. Can you find the log record?
◾If your control is to have access to your website through TLS only, try to use HTTP://domain. Can you get in or is all traffic redirected to the HTTPS://domain?
The Payment Card Industry Security Standards Council (PCI SSC) has created the PCI DSS with these three principles in mind. Using these principles, the standard can also be used for many organisations, even if they don’t handle credit cards.
The standard is very detailed, both in terms of controls and audit testing procedures. So if you replace all references to credit card data with personal data, for example, then you have a good standard for protecting Personally Identifiable Information (PII).
Following this advice is a great start to staying compliant, but there’s still work to do.