23 February 2017
Blogs by author: Balendra Elangco, Chief Security Architect, BT.
Find out why compliance with PCI DSS is good for business, particularly for small organisations.
PCI DSS — ‘YATE’?
Organisations that store, process or transmit payment cards are required to comply with Payment Card Industry Data Security Standard (PCI DSS). But is this yet another tick box exercise (YATE)? Far from it!
For organisations that have a mature security posture, it has to be considered as just another risk they have to deal with — along with many other compliance and regulatory requirements.
But for many smaller organisations that don’t have other obligations, PCI DSS can be used to elevate their security posture. After all, some of them are starting from a very low baseline.
The advantages of PCI DSS.
There are many advantages to implementing PCI DSS. It’s fairly prescriptive and outlines the controls that need to be implemented. It also seeks continuous compliance via the requirements of daily, weekly, monthly and annual activities.
Implemented properly, it should lead to higher levels of security through vulnerability scanning, continuous patching, event monitoring, firewall reviews, user access reviews and so on. It requires an organisation to review its security policies and perform a risk assessment annually.
All of which is likely to strengthen the security posture of many small organisations.
There might be a temptation for many to treat PCI DSS as YATE, even after the initial painstaking effort to implement the controls and obtain the first Attestation of Compliance (AoC). That is the real danger.
Maintaining PCI DSS requires continuous effort and appropriate multi-skilled security resources. A complete PCI DSS solution includes firewalls, IDS/IPS (intrusion detection/protection systems), identity and access management systems (IAM), event logging, privileged access management systems, vulnerability scanning and patch management. As well as maintenance of numerous processes, training of people and documentation reviews. Many organisations fail in this regard.
An increasingly complicated picture.
Every couple of years the standards are updated, and that generally results in extra activities on top of maintaining a level of control.
Many organisations have outsourced their security management to managed security service providers and many more are considering this option to overcome resource and skills gaps. Adding adoption of cloud to this mix, the picture becomes even muddier.
The PCI DSS refers to managed service providers, hosting providers and cloud providers as service providers, as they store, process or transmit cardholder data on behalf the entity that requested their service. So any organisation that uses service providers would have to ensure that this service conducts their activities in a PCI DSS compliant manner.
The QSA (qualified security assessor) who assess an organisation’s PCI DSS compliance will also need to assess its service providers. There could be a number of cascading service providers in a compliance assessment. This can be highly complex and lengthy.
There is a silver lining, however. If the service providers themselves are PCI DSS compliant and can produce their own AoC, the assessor’s job become less complex. The assessor only needs to examine these AoCs and does not need to scrutinise the people, processes and technologies of the service provider.
The following diagram illustrates a happy scenario:
You can achieve PCI DSS compliance for your network (LAN/WAN) and security devices with the assistance of a management platform that meets PCI DSS requirements. This platform should provide its own AoC, and you should be able to use the service with the confidence that your devices will be managed in a PCI DSS compliant manner.
You can also greatly reduce the burden of meeting compliance standards with an all-in-one management solution for network and security devices that are within the scope of PCI DSS.
Finally, it should be noted that you can transfer the management responsibility of your devices, but the overall responsibility of proving the compliance remains with you. The risk cannot be transferred.