Typical Pitfalls Complying with PCI DSS
Maintaining a compliant PCI DSS network environment is an everyday battle. While compliance is assessed and attested to on an annual basis, there are daily, weekly, monthly and quarterly acts that must also be carried out in order to meet specific requirements. With these tasks come common pitfalls, whether technical or procedural that can affect an entities ability to maintain a complaint in-scope network.
The description that defines the scope of the network is confusing. According to the definition, it includes system components which store, process, or transmit cardholder data and all the systems connected to those systems. Deciding which devices are in the network and need to be patched on a regular basis adds stress to the networking and systems administration teams. If it is in-scope, it needs to be patched on a regular basis. • The only exception to this rule is third-party applications which the entity does not manage, examples include payment or web applications like Java or Silverlight which are not owned nor maintained by the entity.
PCI DSS Requirement 10: Meeting each logging requirement
Logging and auditing system components is an everyday process that can bring daily struggles. Common issues arise from requirements that require a daily security review of audible events that must be offloaded to either a centralized logging server or to media which is secured and difficult to alter. Whether through technical (not having appropriate configurations) or business (not having enough team member) restrictions, maintaining compliant logging solutions can bring down an entities compliance percentage, and cause additional stress on teams who manage systems that must be logged.
Securing and hardening management interfaces
Web servers are integral to an organization’s online presence. If there are web based management interfaces, they now (for the time being) must only communicate over secure channels such as HTTPs with TLS1.2. With the recent SSLv3 vulnerability, browsers utilizing that protocol will be considered non-compliant, and fail a PCI DSS vulnerability scan performed by an ASV.
Understanding and implementing Compensating Controls
Sometimes business or technical restraints may hinder the appropriate measures so a requirement is fully met. To address these, there are Compensating Controls that allow entities to go above and beyond the requirement with technology and processes to meet the intent of the requirement. However, knowing which requirements allow a Compensating Control, and how to securely and compliantly implement them is a common struggle that the technology team will face.
Maintaining compliance is an everyday battle
After your assessment is over, utilize the information you learn from your assessor to maintain a compliant environment. PCI DSS compliance is an annual attestation, and requires the full cooperation of every team member for your business to remain compliant. Provide periodic training and inspiration for team members; every person plays a part in securing your customer’s data and the future of the business.
If data must be stored, encrypt the data in transit and rest
Encrypt data in transit and rest through industry accepted standards, such as SSLv3 through HTTPS, and AES 256-bit encryption algorithms respectively. If your business does not need to store data, don’t store it!
Perform Internal Security Assessments
PCI DSS compliance requires that businesses either perform or contract to a third-party internal vulnerability scanning and internal penetration testing. If your business designates an internal resource to perform one, or both of these operations, this person must be knowledgeable in security testing procedures, and also must not be directly involved in the overall PCI DSS assessment (this is described as organizational independence).
We advocate a “security approach to compliance” instead of a “compliance approach to security” because it is critical to have a strategy that’s scalable, sustainable, and is backed by a culture that values information security throughout the organization. This can help reduce the risk of breaches and damage to your brand reputation, and help you manage your costs and resources.