How To Keep The Company's Data Safe
The Payment Card Industry Data Security Standard (PCI DSS) is probably the most important security standard that currently exists. That’s a bold claim, but it’s me rather than the PCI Security Standards Council that’s making it. The rationale is this:
The data that almost every Black Hat wants to steal is Payment Card Data. They can sell card details for about $15 each on the black market right now. The price varies, of course. It has been as high as $30 and if you want to sell tens of thousands at once, the price may drop as low as 25 cents. Payment Card Data is fungible.
I was briefed last week about the PCI Council’s “Prioritized Approach” to attaining PCI DSS Compliance. Having talked through it, I think it’s worth describing it in outline here, because it works as a set of guidelines and recommendations for any site that wants to improve its IT security and, in particular, protect its data.
The Prioritized Approach – Six Milestones
The wisdom of having 6 milestones, prioritized in terms of reducing risk, is that it helps the CSO (or whoever is in charge of security) to draw up a roadmap. The goal may be to attain PCI DSS compliance if you hold payment card data, but if you don’t, the six milestones are damn useful anyway. You can use them to plan or audit the security processes and policies of any IT site – as long as you bear in mind that this about protecting data (rather than, say, achieving a comprehensive ID management capability.)
Here’s a quick summary of the milestones
- If you don’t need it, don’t store it. Because you can’t steal what isn’t there
- Secure the perimeter. You can think of this as surveying the “attack surface” to the outside world, protecting it and reducing it.
- Secure the applications. This is about configuration and patch management, including simple things like always changing default vendor passwords and having a well-defined process for security patches.
- Monitor and control access to your systems. This is about bolting down the access, not just to the network but to any and every application.
- Protect stored cardholder data. This is mainly about encryption, but also about physical security to any computer processing card data or media that may contain card data (encrypted or otherwise).
- Finalize remaining compliance efforts, and ensure all controls are in place. This is mainly about testing the security systems once you’ve got them in place, and, of course, keeping them up-to-date
This is just a summary. The full approach defines everything as a set of detailed points, identifying which milestone each point belongs to. The milestones allow organizations to become compliant gradually and to declare their level of compliance if it is requested by business partners. (Getting fully compliant isn’t necessarily a short journey.)
My only criticism of the milestones as they are currently laid out is that they recommend antivirus use, without mentioning the fact that whitelisting is a far superior approach. There’s no warning, for example, that AV technology that depends only on signatures is deeply flawed. (Have you ever come across an antivirus benchmark where any of the products scored 100%? I thought not. What does that tell you?) Hopefully this aspect of the standards will be brought in line with technical reality soon.
If you want a copy of The Prioritized Approach to Pursue PCI DSS Compliance then click here. It’s recommended reading as far as I’m concerned. The PCI Security Standards Council also does training. To find out more visit the council’s site here.
Robin
these are very sound guidelines but many organizations will claim that they already follow this approach. And yet we still see [too regularly] incidents of massive data leakages.
I believe that this is because most organizations may well have ticked all the boxes but still have a ticking timebomb because they depend more or less exclusively on technology for security – please see: http://tinyurl.com/adx6xf
Likewise stakeholder confidence could be helped by the implementation of an information security capability model (as described in my paper at: http://tinyurl.com/d47kcq )
Please note these links are genuinely offered to help people understand and avoid data leakage, which is a very real risk that I think is growing, despite massive investment in so-called data security.
The effective response to a complex threat/ risk will naturally be a complex/ holistic approach, rather than simply more technology gee-wizardry!
Robin
I have downloaded the PCI DSS docs, they are more than fit for purpose and I know from personal experience (former Head of Communications Infrastructure at BACS) just how rigorous the “official” members of the value chain (payment processors) must be.
However, there are far more “provos” out there, processing card payment details through self-constructed e-business sites who haven’t really got anywhere near the same level of risk awareness. For too many “payment handlers” it’s all about getting the cash into PayPal (or other such service) and hoping none of the punters’ details fall off the edge of the transactions.
Some of my direct observations of very poor payment practice would curdle minds against ever transacting online again, should they ever be published. I know this sounds sensationalist but I simply cannot even think about naming and shaming, which in some ways is a shame (sic).
Colin, it’s fine for you to post links on my blog, as I’m sure you know. I don’t know if you’ve read through the PCI DSS mile stones in detail, but they are nicely thorough. I doubt if many organizations can tick all boxes, but I know that most will tick some of the boxes by obeying the letter rather than the spirit of the recommendation. That, as we both know, is part of the compliance problem. I downloaded and read your paper. I can recommend it.