The Payment Card Industry Data Security Standard (PCI DSS) is probably the most important security standard that currently exists. That’s a bold claim, but it’s me rather than the PCI Security Standards Council that’s making it. The rationale is this:

The data that almost every Black Hat wants to steal is Payment Card Data. They can sell card details for about $15 each on the black market right now. The price varies, of course. It has been as high as $30 and if you want to sell tens of thousands at once, the price may drop as low as 25 cents. Payment Card Data  is fungible.

I was briefed last week about the PCI Council’s “Prioritized Approach” to attaining PCI DSS Compliance. Having talked through it, I think it’s worth describing it in outline here, because it works as a set of guidelines and recommendations for any site that wants to improve its IT security and, in particular, protect its data.

The Prioritized Approach – Six Milestones

The wisdom of having 6 milestones, prioritized in terms of reducing risk, is that it helps the CSO (or whoever is in charge of security) to draw up a roadmap. The goal may be to attain PCI DSS compliance if you hold payment card data, but if you don’t, the six milestones are damn useful anyway. You can use them to plan or audit the security processes and policies of any IT site – as long as you bear in mind that this about protecting data (rather than, say, achieving a comprehensive ID management capability.)

Here’s a quick summary of the milestones

1. If you don’t need it, don’t store it. Because you can’t steal what isn’t there
2. Secure the perimeter. You can think of this as surveying the “attack surface” to the outside world, protecting it and reducing it.
3. Secure the applications. This is about configuration and patch management, including simple things like always changing default vendor passwords and having a well-defined process for security patches.
4. Monitor and control access to your systems. This is about bolting down the access, not just to the network but to any and every application.
5. Protect stored cardholder data. This is mainly about encryption, but also about physical security to any computer processing card data or media that may contain card data (encrypted or otherwise).
6. Finalize remaining compliance efforts, and ensure all controls are in place. This is mainly about testing the security systems once you’ve got them in place, and, of course, keeping them up-to-date

This is just a summary. The full approach defines everything as a set of detailed points, identifying which milestone each point belongs to. The milestones allow organizations to become compliant gradually and to declare their level of compliance if it is requested by business partners. (Getting fully compliant isn’t necessarily a short journey.)

My only criticism of the milestones as they are currently laid out is that they recommend antivirus use, without mentioning the fact that whitelisting is a far superior approach. There’s no warning, for example, that  AV technology that depends only on signatures is deeply flawed. (Have you ever come across an antivirus benchmark where any of the products scored 100%? I thought not. What does that tell you?) Hopefully this aspect of the standards will be brought in line with technical reality soon.

If you want a copy of The Prioritized Approach to Pursue PCI DSS Compliance then click here. It’s recommended reading as far as I’m concerned. The PCI Security Standards Council also does training. To find out more visit the council’s site here.