Data security best practices for PCI DSS compliance

The problem isn't that PCI doesn't work. The problem is the perception that if a company is PCI compliant, it is secure and will never suffer a data breach. The reality is that PCI, like any other regulation -- be it HIPAA, GLBA, etc. -- merely sets a baseline for what needs to happen in order to handle certain kinds of data s...

BROWSE BY TAG Compliance Counselor,   Security Audit, Compliance and Standards,   PCI Data Security Standard,   Enterprise Data Protection,   Data Loss Prevention,   Identity Theft and Data Security Breaches,   VIEW ALL TAGS

RELATED CONTENT Compliance Counselor The future of PCI DSS encryption requirements? Tokenization for PCI Security compliance predictions for 2010: New regulations, new technology Compliance strategy: How to become an internal IT auditor GRC customers point to better efficiency, convergence and consistency Benefits of ISO 27001 and ISO 27002 certification for your enterprise Identity lifecycle management for security and compliance Interpreting 'risk' in the Massachusetts data protection law FTC Red Flags Rules: How to create an identity theft prevention plan Creating a HIPAA employee training program Data protection tips for corporate compliance leaders PCI Data Security Standard New data protection laws No major PCI DSS revision expected in 2010 PCI QSAs, certifications to get new scrutiny The future of PCI DSS encryption requirements? Tokenization for PCI MasterCard reverses PCI compliance requirement PCI DSS compliance help: Using frameworks, technology to aid efforts Chip and PIN adoption Chip and PIN adoption serves lesson for U.S. payment industry Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Data Loss Prevention Information Security magazine February 2010 issue download Disaster recovery plans and DLP solutions top 2010 priorities Endpoint DLP fills data protection gap Fact or fiction: Inside extrusion detection and prevention technology Health Net breach failure of security policy, technology Health Net healthcare data breach affects1.5 million Layoffs prompt insider threat fears, cybersecurity survey finds Breach prevention: How to keep track of data and applications Trend Micro to address DLP after analyst report criticizes strategy How to secure USB ports on Windows machines

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI DSS (Payment Card Industry Data Security Standard )  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ecurely and to avoid fines, loss of services or license to operate. In the case of PCI, it means that when (yes when, not if) a merchant or other company involved in the payment-processing life cycle faces a security problem, it won't be fined by Visa, Mastercard or one of the other members of the PCI Security Standards Council.

PCI is not perfect, but the point isn't perfection. Rather, the idea is to raise the bar to a reasonable level. PCI DSS version 1.2 has corrected several issues from earlier iterations, and the standard will surely continue to evolve as the PCI SSC identifies portions that don't work well or issues that were missed in the past. Case in point: in both the Hannaford and Heartland breaches, the miscreants were using Trojans to pass personally identifiable information (PII) to external servers over the Internet. It would be surprising if the next version of the PCI standard did not mandate some sort of monitoring of outbound data flows for PII.

In the meantime, this kind of monitoring is something that you should be doing at your organization, and it likely goes beyond just deploying a data leak prevention (DLP) product. Given that cybercriminals are increasingly using cryptography, it's also necessary to perform traffic analysis. This is a great strategy because it enables discovery of anomalous traffic quickly without actually looking into the packets. Think of it as an early warning system.

Another area to look at improving beyond the requirements of PCI is the use of SNMP. PCI currently mandates changes to the default SNMP community strings. While this is a good idea, it isn't enough. SNMP is an insecure protocol; it is notorious for being unencrypted by default, and it doesn't do any good to turn on encryption everywhere else if management credentials are passing through in the clear. So, if possible, turn it off. If you have to use SNMP, at least use v3, which encrypts the data in transmission. Be sure to use AES instead of DES. Keep in mind though that this method still uses a static key, so while it's an improvement, it is far from perfect. Again, if possible, turn off SNMP.

The third area to improve beyond PCI is backups. A huge number of the CA-1386-related breach disclosures have been due to lost backup tapes and drives as opposed to theft. As a result, I'd recommend that reviews of the security of outside providers be done semi-annually (instead of annually, as PCI dictates) and that these reviews extend not only to the actual storage, but also to media-tracking processes and procedures, including how loss is identified and handled. I also highly recommend regular and random testing of these procedures.

These are just three examples of places that a security program can be improved beyond the requirements of the PCI DSS. I encourage security teams to look at all 12 sections of the standard and find other places to improve, and share those improvements with your peers.

About the author:
As CSO-in-Residence, David Mortman is responsible for Echelon One's research and analysis program. Formerly the Chief Information Security Officer for Siebel Systems, Inc., David and his team were responsible for Siebel's worldwide IT security infrastructure, both internal and external. He also worked closely with Siebel's product groups and the company's physical security team and led up Siebel's product security and privacy efforts. A CISSP, Mr. Mortman sits on a variety of advisory boards including Qualys and Applied Identity and Reflective, amongst others. He holds a BS in Chemistry from the University of Chicago.