Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Payment Card Industry DSS mistakes

InfoSecurity Europe : 09 March, 2009  (Special Report)
Protegrity's Ian Schenkel highlights the top ten slip-ups made in attempts to become PCI compliant
See our events guide listing for more details

Ian Schenkel, EMEA VP for data security specialist, Protegrity reveals ten of the common mistakes enterprises make in their PCI compliance efforts. These are well-intentioned errors that often have a significant negative impact on budgets and data security. Ian also shares the best practices that can help remediate these slip-ups.

1 Relying too heavily on quarterly scans for web application security assurance

The quarterly network scans mandated by PCI DSS requirement 6.6 are a security checkpoint, not a method of managing web application security. Web applications are now a preferred attack vector for malicious hackers and as such need to be monitored on a continuous basis. For applications developed or customised in-house, the following "find, fix, prove" process must be continually performed: Identify vulnerabilities (find), correct them (fix), and test to confirm that the correction is effective (prove). Best practice also dictates that you secure the application level with a dedicated web application firewall, which helps organisations meet eight of the 12 PCI DSS requirements.

2 Forgetting about the benefits of segmentation

In some cases, rather than re-architecting an entire enterprise environment and revising critical business processes across the board, it may be more effective from a cost and data security standpoint to move systems that collect, transmit and store PCI-protected data into their own environment and restrict these systems interactions with the rest of the enterprise network. This allows the enterprise to focus its compliance efforts on the most critical components of the network.

3 Focusing too strongly on a single attack vector

Narrowing the enterprise's focus to protect data against specific types of attacks often results in opening the doors to other types of attacks. Don't implement a media-scare-story-driven security plan based on reacting to every overwrought report or bit of research. Constantly shifting focus to manage the threat of the moment will result in piecemeal security, focus instead on comprehensively securing data.

4 Failing to protect all critical data stores

In a poll recently conducted by my company, we discovered that an alarming number of British retailers are overlooking the need to protect sensitive customer information stored in the data centre which is used for business intelligence. For example all the personal information that the marketing folks have for trend analysis on customers' shopping habits falls within the PCI DSS remit and yet is too often stored unencrypted, thus making that business non-compliant. The PCI standard dictates that every aspect of the flow of sensitive data has to be protected, i.e. encrypted, from collection to deletion. I imagine that British retailers are not the only ones guilty of this - it's important to remember that PCI DSS requires us to secure personally identifiable information wherever it may reside.

5 Assuming that PCI responsibility can be outsourced

If a business is required to comply with data protection standards or regulations, and its outsourcing partner fails to protect that personal data, the company that owns the data will most likely be considered at fault and liable for any associated costs, penalties or legal actions that might arise from its exposure. You must ensure that the company you are partnering with — offshore or domestic — takes data security seriously and fully understands the regulations that affect your business.

6 Neglecting to develop a data retention policy

Rather than frantically plunging headlong into the chilly pool of PCI compliance, it's best to begin by conducting a full audit of your systems to identify all the points and places where payment card data is processed, transmitted and stored. Then develop or review your data retention and disposal policy to determine whether it meets the PCI DSS standard. The less stored data that you have to protect, the easier compliance will be. PCI DSS calls for retaining only the minimum amount of information required for business, legal, and/or regulatory purposes. Purge systems as necessary and institute new processes. It's less costly to eliminate data and implement change than it is to secure vast stores of data that you don't need.

7 Allowing PCI to become a series of projects

Disparate data protection projects, whether created by design or due to company mergers, often result in an impossible-to-manage hodge-podge of secured and unsecured systems; some data on some systems encrypted and some not, some systems regularly purged of old data on a monthly basis and others harbouring customer information that should have been deleted years ago. If this is the case within your enterprise, consider appointing one person as the PCI DSS compliance manager, to serve as a single point of contact and authority for compliance efforts and, ultimately, to develop and deploy an enterprise-wide unified plan to manage sensitive data assets and enable compliance with applicable regulations and standards.

8 Assuming an enterprise can build on PCI security investments into infinity

The success of an enterprise's security efforts need to be regularly reviewed and measured, older goals may need to be dropped, new plans may need to be instituted, and sometimes technologies that seemed like great ideas at the time may become a gaping security hole as a result of new discoveries. DES encryption, for example, was once considered secure until researchers proved it was vulnerable to brute force attacks due to its short (56-bit) key. Security is always a moving target and we have to be willing to move forward as conditions demand.

9 Ignoring the corporate culture

Security measures that aren't understood and fully embraced across the enterprise can. and will be, circumvented. As you plan and implement PCI DSS, don't stint on ensuring that employees understand the importance of keeping customer data secure and protected and have the tools and training they need in order to secure that data.

10 Focusing solely on complying with PCI DSS rather than implementing best security practices

Virtually all government and industry privacy and security regulations outline the most basic best practices of data security. Being able to pass a regulatory audit does not automatically ensure effective security. Instead of trying to protect your organisation's data assets by solely striving to meet individual regulatory requirements, focus on acting in accordance with data security-centred best practices, reinforced by security solutions such as automated policy enforcement, encryption, role based access and system auditing. In other words, do the right things instead of just the required things.

Protegrity is exhibiting at Infosecurity Europe 2009, the No 1 industry event in Europe held on 28th - 30th April in its new venue Earl's Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise.

Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo