Complying With the Payment Card Industry (PCI)
Credit card merchants, service providers or retailers who process, store and transmit cardholder data have a fiduciary responsibility to protect that data. But with data volumes increasing exponentially and tolerance among regulators and consumers falling to new lows, meeting that responsibility is indeed challenging. Whether selling books online or groceries at a local store, virtually every computer-based transaction results in a log data file that is a fingerprint of user and computer systems activity.
The Payment Card Industry (PCI) Data Security Standard, resulting from collaboration between Visa and MasterCard, provides a solid framework for safeguarding credit card data with 12 specific requirements, many of which can only be met with log management and intelligence. Included are specific mandates related to log data
STAGES OF COMPLIANCEThe PCI standard applies to store merchants, banks, service providers and card processors. And that’s not all. PCI extends to all system components connected to cardholder data environments, including network components (firewalls, switches, routers, security appliances, etc.), servers (Web, proxy, database, email, authentication, etc.) and applications, both internal and external. In other words, PCI compliance is a lot of work.
The process of complying with PCI compliance can be viewed in three stages:
- Collection and storage - collecting and securely storing all log data so that it is available for analysis yet tamper-proof and secure.
- Reporting - prove compliance on the spot if audited, and present evidence that controls are in place for protecting data.
- Monitoring and alerting - have systems in place, such as auto-alerting, to help constantly monitor access and usage so that administrators are warned of problems immediately and can rapidly address them. These systems should also extend to the log data itself – there must be proof that log data is being collected and stored.
ESSENTIAL IT controlsUnderpinning this is the need for a clear set of IT controls. These provide the framework for evidencing and attesting to compliance. Controls like the Control Objectives for Information and related Technology (COBIT) and the IT Infrastructure Library (ITIL) provide a systematic way of not just answering PCI, but also other compliance mandates such as the Sarbanes-Oxley Act of 2002 (SOX).
A log management and intelligence (LMI) solution helps companies reduce the labor and costs associated with PCI compliance by automating these three steps. The solution provides collection and secure storage of 100% of log data collected from all devices, servers and applications, along with compliance-specific reporting templates that organize data quickly and accurately to satisfy auditors. Finally, the solution allows administrators to set custom alerts and continuously monitor network activity. Customers typically experience a return on investment (ROI) of three months or less by automating compliance activities using log data.
Complying with PCI, merchants and service providers not only meet their obligations to the payment system but also create a culture of security and operations effectiveness that benefits everyone. PCI compliance limits risk and builds confidence in the payment industry, as well as safeguards data from all types of payment network fraud. It just goes to show that what is good for the bottom-line can also be good for the top-line.