Payment Card Security Toughens with DSS 1.2 Release
- By Jabulani Leffall
The Payment Card Industry Council released an updated version of its PCI data security standard Oct. 1, which is designed to help protect transmitted charge and debit card information.
Opinions are mixed on what the standard, called Payment Card Industry (PCI) DSS 1.2, will mean for security pros going forward. However, the mandate is clear: protect data.
The standard calls for enterprises to build and maintain secure networks, protect stored cardholder data, and encrypt its transmission. In addition, PCI DSS 1.2 spells out a comprehensive vulnerability management program. Steps under the program include access control testing, system monitoring and the implementation of documented enterprise-wide security policies.
The new standards arrive as the IT compliance community contemplates several high-profile data theft cases. In reaction, a two-front enterprise information security strategy has been proposed. Such a strategy involves shoring up IT access controls and locking down data from the inside, as well as strengthening defensive measures so that hackers can't get into the network.
Experts say that a beefed-up security and monitoring program can be folded into audit programs to meet both PCI compliance requirements and Sarbanes-Oxley Section 404 guidelines for general computer controls and application security.
"The intent of PCI DSS 1.2 is to clarify and streamline the existing requirements and provide some flexibility in terms of interpretation of the standards," said Sumedh Thakar, PCI solutions manager at Qualys Inc. "PCI DSS 1.2 does affect some merchants more than others due to the changes involving Wi-Fi, the increased level of documentation requirements and having employees interacting with cardholder data re-accept the policy annually."
Thakar added that the release of the updated standard allows for some streamlining in the compliance process. For instance, some relief is provided to merchants in terms of easing the review requirements around firewall rule audits and risk-based patching of applications.
High Threat Level
Recent thefts at TJX, Hannaford Bros., Countrywide and Citibank come at a time when sentiment toward improving such data loss and prevention programs is at a high.
According to a report released in August by the Information Systems Audit and Control Association (ISACA), securing critical data, specifically personally identifiable information of clients and customers (PII), is "a top concern" facing business and technology executives this year. ISACA, known for overseeing CobIT (Control Objectives for IT framework), has surveyed more than 3,173 IT pros in some 95 countries.
"The cost of losing or compromising the integrity of mission-critical data and in particular personally identifiable is also leading to a renewed focus on information security," said Greg Grocholski, chair of ISACA's Assurance Committee and senior finance director at Dow Chemical. "The survey shows that 81 percent of the 1,600 respondents who named information security management as a number 3 concern said that security risks are not fully known or are only partially assessed using technology."
Grocholski said IT pros, CIOs and other C-level managers need to realize that tough economic times can significantly increase insider threats. Bad economics can also create an environment where low morale fosters an apathetic approach to securing IT systems.
Threats Come From Outside and Inside
One case in particular underscores the need to protect sensitive data through internal enterprise risk-management programs. In early August, the U.S. Department of Justice indicted 11 hackers who allegedly broke into myriad processing environments and stole the computer records of as many as nine major retail companies. The alleged perpetrators had access to 40 million credit and debit card numbers.
The indictment said that this group had two main goals: exploit vulnerabilities in wireless computer networks used at retail store locations and take advantage of holes in enterprise software used by businesses to manage large databases.
"What this spate of data thefts has shown us is that businesses need to move from a trust-based system of data ownership and checks and balances to a more process-based system that is impartial and followed to the letter of the internal policy," said Ellen Libenson, vice president of Symark International, a security software and business risks consultancy based in Los Angeles.
Still, the majority of such data breaches are done from within. Outside parties collude with workers inside the company, or disgruntled insiders do the damage from their desks.
An ID Analytics study released in mid-August found that 60 percent of such attacks are initiated from within companies. The study, "Analyses of Internal Data Theft," examined data going back to 2007. ID Analytics cited more than a dozen incidents of internal data theft, involving more than five million identities.
The early August arrest of staffers at Countrywide Home Loan illustrates the prevalence of these attacks. In that case, two men were arrested for alleged theft and subsequent sale of mortgage customer data. A policy breakdown allowed data to be copied to a flash drive, according to the FBI arrest report.
Symark's Libenson said that it's time for internal auditors and IT administrative personnel to move beyond the checklist mentality when it comes to access control and IT security monitoring at enterprises.
"It's with events like these that it's easy to hurry up and strengthen compliance aims to cover all bases," she said. "But what you find out is that checklists don't usually create a sound access control environment of stopping insiders and outsiders from either stealing or manipulating data. Overall compliance and enterprise IT risk staffers need to graduate from the thinking that security is a year-end or project-based process because it's an ongoing thing."
Finding and Binding Data
Different methods were used to gain entry in these cases, but a unifying theme seems prevalent. Namely, companies often don't know where all of their data is housed and how to consolidate it to protect it, said Katie Curtin-Mestre, director of RSA Security Inc., the data and loss prevention arm of EMC Corp.
"Finding and consolidating relevant and related data so that you can then bind it is not always an easy proposition," she said. "You might have one set of information stored on Oracle, while others are on Microsoft SharePoint or in an Outlook file. The first step in any risk assessment is to know what you're protecting, but, more importantly, where what you're protecting is housed and how it is secured."
Experts say that depending on the specific strategic market, business goals or data structure of a given business, companies should look at deploying a combination of firewall protection, data encryption and automated access monitoring technologies. Manual oversight of all of these processes is important as well--all of which can be listed on a risk matrix and/or controls testing workpapers for periodic monitoring.
To protect against such attacks, compliance pros suggest configurable access controls, such as one-way password hashing, where even a system or network administrator can't see passwords. Another technique is the encryption of critical data fields in database tables containing personal info or the outright obfuscation of data.
Knowing that there is not a 100 percent guaranteed "silver-bullet" for network security means that companies must maintain constant vigilance, said Jeff Debrosse, research director at ESET. Both physical and network configuration security need to be watched.
"A 'set it and forget it' attitude in the security world sets false expectations of ongoing security," Debrosse said. "People tend to go for the path of least resistance. If their network is unique in its design, and there is a new method of accessing that data, and that method is not covered by the checklist, it might be glossed over and compliance would still be achieved."
In this vein, periodic wide-scope general physical and IT security testing as well as application level integrity audits should be implemented whether it's compliance season or not, observers contend.
"Organizations need to implement both data protection policy and enforcement," said Don Leatham, director of strategy at the Scottsdale, Ariz.-based security software consultancy Lumension Security. "One [measure] is insufficient."
Leatham emphasized the organizational perils of just having half-measures in place.
"Blind enforcement, without a well-thought-out policy, can lead to decreases in productivity and outright rebellion against IT controls. Policy without enforcement does little to deter the well-motivated insider and at the same time can make outside entry that much easier as we've seen."
|PCI DSS 1.2: A Primer |
Security experts contend that all businesses that depend on payment card transactions should be aware that PCI DSS 1.2 now requires them to:
- Provide guidance around scope of PCI DSS and elaborate on segmentation of Card Holder Data Environment.
- Clarify requirements around use of wireless technology; provide sunset date for use of WEP.
- Provide clarification around requirements for Web application security to remove references to source code review and add use of automated assessment tools.
- Make sure that employees who interact with cardholder data review and accept security policy annually.
- Ensure that risk-mitigating controls are reviewed and validated by a qualified assessor annually.
- Provide flexibility for incorporation of evolving technologies and threats.
- Announce Quality Assurance program for assessors.