Screen shot 2014-07-06 at 9.19.28 PM(Daniel Humphries, a security researcher for comparison group Software Advice, recently published The 7 Deadly Sins of PCI DSS Failure and How to Avoid Them. You may read the excerpt below.)

PCI DSS stands for the Payment Card Industry Data Security Standard: a set of compliance regulations applying to every business that accepts, processes, stores or transmits credit card data.

PCI compliance regulations (mandated by the Payment Card Security Standards Council) are so detailed that fulfilling them is a challenge for many businesses. A recent study by IT security firm Fortinet revealed that 22 percent of retailers are not PCI compliant, while an additional 14 percent don’t know if they are PCI compliant or not. But fail an audit, and you can lose the right to process credit card transactions: a death blow for any company.

1. The First Deadly Sin: No Network Segmentation

While Jeff VanSickel, a compliance expert at IT security firm SystemExperts, acknowledges that netowrk segmentation is not an official PCI requirement, failing to execute it is often the biggest cause of audit failure. And who wants that? Do some extra credit work and keep your company safe!

This is a serious error, says VanSickel: “Look at Target—they got hacked because the bad guys got into the network through the HVAC system, and then moved across the flat network to get to the point-of-sale systems.”

Meanwhile, since your flat network effectively grants many people access to the “office” where you keep your money, you will now have to prove to PCI auditors that the entire building is secure. The more of your business that is subject to PCI compliance, the greater the complexity of the task, and the more likely it is that you’ll fail to keep all that data secure.

What can you do?
Network segmentation can be achieved with firewalls and routers. Just make sure you have an expert IT team who will set them up! Also, you should take an inventory of what you already own, as you may already have the tools you need. Many security appliances are designed with PCI (or other compliance standards) in mind.

2. The Second Deadly Sin: Inadequate Access Controls

PCI is very clear that you must assign a unique user ID to each person with access to payment card data, which in turn should be restricted on a need-to-know basis. But according to Michael Fimin, CEO of change auditing software firm Netwrix, this is “one of the of most neglected aspects in the retail industry.”

Fimin says companies often create generic sets of IDs and user names that multiple employees have access to, which means that firms are unable to determine who had access to what in the event of cardholder data theft.

In addition, companies often fail to terminate access when employees leave or are moved to another position and no longer need access to confidential data.

And the result? PCI audit failure.

What should be done?
There’s no getting around it: You must assign employees with access to confidential customer data unique IDs. You also need to establish a policy that employees never share these credentials with anyone else—and educate employees about best practices.

3. The Third Deadly Sin: Sloppy Logging and Monitoring

PCI requires businesses to track user activity and implement controls such as collecting system logs daily, in order to investigate and report on any suspicious activity. If you’re a small business, you can utilize such tools as scripts and spreadsheets. However, he more employees you have, the more time-consuming and difficult this becomes, increasing the likelihood of human error.

What should be done?
You probably already have the audit trail viewing tools you require. For instance, if you are using a Windows server, then you can switch on Event Viewer, a tool that will provide visibility into your system. However, native tools can lack scalability, are sometimes difficult to interpret and may not have enough capacity to haul the data.

Larger businesses with thousands of servers turn to enterprise-level Security Information and Event Management (SIEM) tools that collect every single audit trail from all kinds of systems, and provide business intelligence tools for analysis (Splunk, too, scales up to this level). However, a SIEM system can cost around $100,000 just to install, and after that you would have to hire staff to administer it. So, this is an option for firms with massive IT budgets only.

4. The Fourth Deadly Sin: Feeble Firewalls and Rotten Routers

PCI mandates not only that you have strong controls over your firewalls and routers, but also mandates precisely how you configure them, to make sure the “doors and windows” are set up in such a way that only the right kind of traffic is able to enter and leave the network.

In addition, PCI requires businesses to review firewall and router rules every six months to confirm that every connection into and out of a network is documented.

And yet, according to VanSickel, many companies “feel they already have strong controls, and don’t feel the need to do that type of review.”

The result? Audit failure.

What should be done?
There’s no shortcut: you have to read the rules and configure your firewalls and routers correctly. And then you must check them every six months.

5. The Fifth Deadly Sin: Errors of Encryption

PCI requires you to encrypt your customers’ confidential data at all times. It may sound simple, but there are often multiple complications that result in failure.

The problem with offsite data storage centers is that the business owner does not hold the encryption key—the service provider does. So if the provider is hacked, your data will be exposed, while employees at the provider who do have the encryption key will also be able to see what you are storing.

And so you fail.

What should be done?
Encrypting data in transit doesn’t have to be so complicated. Here, you just have to make sure you are using standard mechanisms such as HTTPS, the common protocol used to access a secure Web server, or a Virtual Private Network (VPN) connection.

6. The Sixth Deadly Sin: Really Dumb Passwords

We’ve discussed this on SAC’s blog many times before. It’s security 101: don’t use really dumb passwords. You know, things like “password” or “123456.”  And yet, even after a seemingly infinite number of articles on the topic, a lot of companies still make this very stupid mistake.

What should be done?
Staff (or even management) may resist the complexities of PCI-compliant passwords. This is another argument for segmentation: If you restrict access to payment card data only to those whose work absolutely requires it, then you will limit the number of individuals who have to abide by these rules, and thus reduce the likelihood of human error.

7. The Seventh Deadly Sin: Dubious Drafts of Documents

PCI mandates that companies draft and maintain policies and procedures. The problem here is that businesses often forget that these are “living documents.”

“People tend to stick [the policy document] on a shelf and not keep it up-to-date, or disseminate what’s in it,” says Sedlack. “The result is that the people in the business touching credit card data might be making decisions putting the business at risk of PCI failure.”

What should be done?
Keep your policy documents up-to-date. VanSickel suggests an even simpler solution. If you’re not confident that your policies are detailed or current enough, then hire an expert security consultant to review them and help with writing them.

“Its a lot less money than going out and buying another piece of hardware,” he says. “All it involves is for the consultant to conduct a couple of interviews with your tech people to understand what’s deployed, and then [document] it. It’s not that difficult once it’s written to keep it up-to-date.”

 

The Security Awareness Company

With over 25 years of industry experience, we serve both small & large organizations to create successful security awareness and compliance programs on an international scale. Our team is a strong, creative powerhouse with a passionate vision and we consistently produce on-trend end-user training materials of the highest caliber.

Latest posts by The Security Awareness Company (see all)