Payment Card Industry Data Security Standards impact all types of enterprises and can create risk beyond retail operations.


The PCI Security Standards Council released its latest version, 1.2, in October. According to the previews, the clarifications will offer improved flexibility to address today’s security challenges. However, this version will not contain any new, major requirements to the current twelve requirements. According to Bob Russo, general manager of the PCI Security Standards Council, “Version 1.2 should be seen as an improvement, not a departure from tried and true best security practices.”

   
Get all details on the changes at:
www.pcisecuritystandards.org/pdfs/pci_dss_summary_of_changes_v1-2.pdf.

   
New wireless network requirements seem to be a focus of the 1.2 revisions and it makes sense why – remember the TJX breach? Who can forget when 40 million credit and debit card numbers were stolen? The Department of Justice has stated that eleven individuals were charged and the indictment alleges that during the course of the sophisticated conspiracy, they obtained the credit and debit card numbers by “wardriving” and hacking into the wireless computer networks of major retailers including TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, The Sports Authority, Forever 21 and DSW.



Tighter Standards

Once inside the networks, the perpetrators installed “sniffer” programs that would capture card numbers, as well as password and account information, as they moved through the retailers’ credit and debit processing networks.

   
The PCI Security Council is tightening the ubiquitous airwaves. For instance, Requirement 2 states: Do not use vendor-supplied defaults for system passwords and other security parameters. This:

  • Clarifies that the requirement applies to wireless environments “attached to cardholder environment or transmitting cardholder data”
  • Removes references to Wired Equivalency Privacy (WEP) in order to emphasize using strong encryption technologies for wireless networks, for both authentication and encryption
  • Removes requirement to disable Service Set Identifier (SSID) broadcast since disabling SSID broadcast does not prevent a malicious user from determining the SSID, as the SSID is broadcast over numerous other messaging/communication channels.

The requirement seems simple enough after all, even home-based wireless network users activate Wi-Fi Protected Access (WPA) and change default passwords. But when you take into account the fact that these Level 1 and Level 2 merchants have hundreds and sometimes thousands of store locations, human error caused by repetition or boredom can cause a configuration slip. Automating the process of maintaining configurations, password rotation and Access Control Lists (ACLs) can greatly help reduce fatigue and lockdown wireless routers.

   
ACLs provide added security to the network. An ACL filters the network traffic by controlling the routed packets that pass through the router interface. The router acts as a firewall to help determine what packets can be passed through or dropped, depending on the access rules or the criteria specified.

   
And, as for password rotation, automation makes password changing and management a bit easier. With the help of automation, IT and physical security professionals can assign resources to users based on business roles and policies, all necessary approval workflows are automated, which helps improve security. Automation also makes it easier to manage users’ access needs instead of having to rely on a network administrator – roles change and access rights are updated automatically. Here again, the benefits of automating IT change and configurations transfers from one version of PCI requirements to the next without having to make another investment.

   
Automation also assists with enhancements to Requirement 8: Assign a unique ID to each person with computer access. This:

  • Clarifies that testing procedures must verify that passwords are unreadable in storage and transmission.
  • Clarifies user authentication by allowing both passwords and passphrases, and by combining previous bullets under “two-factor authentication” and providing examples.

Aside from the wireless requirements, the PCI Security Council is also focusing on secure systems and applications as well as monitoring access to network resources. Requirement 6.6 is now mandatory. All public-facing Web applications are subject to either reviews of applications via manual or automated vulnerability assessment tools or methods; or installing an application-layer firewall in front of public-facing web applications.

   
Requirement 10: Track and monitor all access to network resources and cardholder data:

  • Clarifies that logs for external facing technologies (for example, for wireless, firewalls, DNS and mail) must be copied to an internal log server.
  • Provides flexibility and clarifies that three months of audit trail history must be “immediately available for analysis” or quickly accessible (online, archived or restorable from backup).

Again, automating the procedures of change and configuration management applicable to Requirements 6.6 and 10 will provide a valuable asset – but only if it can be scaled across the entire IT infrastructure. Just focusing on network devices, routers or servers will not be sufficient. Holes will still be left in applications and now, virtual devices. The only plausible solution would be to normalize all changes and all configurations via one solution – cutting across IT silos and building in-depth reports for internal use as well as for auditors.

   
In conclusion, automating the process of administrating and tracking all IT changes and configurations helps “future-proof” processes against new revisions to existing PCI requirements. This approach also shores-up the entire IT infrastructure and lays a solid foundation that scales across Sarbanes-Oxley, HIPAA, the Gramm-Leach-Bliley Act and other mandates as well.