A laser focus on PCI compliance

There won't be time for much else as our manager prepares for the PCI Report on Compliance audit.

For the past few weeks, I've been knee-deep in PCI compliance. I have previously mentioned that although my company's current credit card transaction volume doesn't require a full PCI audit, we have made a business decision to get the full PCI Report on Compliance, which entails hiring a qualified security assessor (QSA), submitting evidence, conducting a variety of qualified penetration tests and assessment scans and ultimately having an auditor spend about a week on site reviewing evidence and conducting in-depth testing of the 400-plus controls.

The QSA has to understand the scope of the audit. To help, we provided things such as network and data flow diagrams, a list of hardware and software assets and the names of everyone who has a significant level of access to the environment that we use to store customer credit card data. With this information in hand, we met with our QSA and narrowed the scope to our two production data centers and our disaster recovery data center, where we store customer credit card data. Because we use very strict firewall rules and proper physical and logical segmentation, our very large corporate IT infrastructure is not in scope.

And now the fun begins. Of those more than 400 controls, it is just a few that tend to get companies in trouble. One of these pertains to security incident and event management (SIEM). If you have a robust SIEM infrastructure, a dedicated security operations center or a managed service, you'll probably do well. I wish that were the case for us, but our SIEM program is still in its infancy. We're working on selecting and then implementing a robust SIEM tool, but for now we are still doing things via log collection, scripts and the manual review of events. That makes it difficult for us to prove that we can reliably identify and take action on security attacks. We do an OK job but could really use the help of a modern event correlation product or service.

Another area that many companies are weak in is configuration management. I'm hopeful that we will be OK. We use standard baseline images for our Microsoft Windows, Linux and Cisco operating systems and major applications, such as Apache and Oracle, which follow most of the recommendations from the Center for Information Security. We also have integrity-checking software that monitors when any of the configurations have changed from the initial baseline. I know the QSA will choose a sampling of identified devices (servers, firewalls, routers, etc.) and match the configuration against our defined baseline, and given our procedures in this area, I think we'll pass this portion of the audit without any problems.

Then there's vendor management. Some of our vendors process credit cards and must meet new, more rigorous PCI rules for third-party vendors, including some that relate to contract wording. This will affect things like our content delivery network (CDN). Many of our CDN vendors decrypt network traffic in order to inspect it for Web application security issues and other things before re-encrypting it and sending it to our servers. Since that traffic may contain credit card data, those vendors will have to be in compliance.

The new requirements for PCI compliance will also require regular testing of our infrastructure, including application and system penetration tests from both external and internal locations. Of course, it's a constant struggle to ensure that our apps and servers are maintained in a secure manner. We already run monthly credentialed and non-credentialed scans from our internal network, and we have two qualified application security vendors and other vendors run scans against our infrastructure from the public Internet. We are well aware of the value of this. Our main application goes through many changes throughout the year, and it's all too easy for a programmer or system administrator to inadvertently introduce application vulnerabilities such as cross site scripting or open redirects or for a sysadmin to forget a vendor patch.

Gaining the PCI stamp of approval will take months. I will be reviewing policies, ensuring that processes are in place and generating the plethora of evidence needed by the auditors to prove that we meet the hundreds of requirement imposed by PCI.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.

Click here for more security articles.

Join the CSO newsletter!

Error: Please check your email address.

Tags PCI compliancesecuritybeca

More about ApacheCiscoClickLinuxMicrosoftOracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Mathias Thurman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts