Change and Configuration Solutions Aid PCI Auditors
by Matt Clark - Network Engineer at Voyence - Monday, 10 March 2008.
To the casual observer of the Payment Card Industry (PCI) standard, it might seem that the standard deals exclusively with the servers and point-of-sale terminals that house cardholder data. This is an understandable assumption, given the origin and subject matter of the PCI requirements. However, a careful read of the PCI Data Security Standards (DSS) reveals that almost half of the specifications are aimed at the network infrastructure that transmits the cardholder data.

Managers responsible for IT compliance need to understand that credit card companies hold merchants accountable for not only protecting stored consumer data, but also securing the network transport layer and on-going processes to validate compliance. Due to the never-ending amount of network device change and configurations, it is nearly impossible to determine exactly when a device actually becomes non-complaint. PCI auditors are not only on the lookout for non-compliant devices, but also for a well thought-out security process that is currently implemented, tracked and well documented. This is where an automated change and configuration management system can really assist.

The PCI DSS requirements pertain not just to retailers, but to any credit card accepting organization from university book stores to pay-at-the-pump gas stations. Let’s face it, retail payment systems were not designed with security in mind, they were designed to add convenience to consumers’ shopping experiences. However, hackers have caught on to this oversight and are finding new ways to exploit the weakest network links for their profitability — and they are getting really good at it.

Consider several well-published network data breaches over the last few years:
  • February 15, 2005 - ChoicePoint - ID thieves accessed 145,000 accounts.
  • April 12, 2005 - LexisNexis - 280,000 passwords compromised.
  • April 28, 2005 - Wachovia, Bank of America, PNC Financial Services and Commerce Bancorp saw 676,000 accounts compromised by dishonest insiders.
  • November 2006 - UCLA – 800,000 current and former student Social Security Numbers stolen by computer hacker.
  • July 2005 through January 2007 – TJX – 45.7 million credit and debit card numbers stolen.
  • July 3, 2007 Fidelity National Information Services (Jacksonville, FL) 8.5 Million Records lost due to data breach.
To illustrate the depth of this situation, Privacy Rights Clearinghouse has chronicled data security breaches since January 10, 2005, and has estimated that 167,493,672 records containing personal data have been stolen.

Further underscoring the gravity of the situation, notice the amount of records stolen is rapidly increasing every year. Not only does this equate to bad publicity, but it also lends itself to increasing consumer costs. Hence, the quagmire merchants find themselves in: Do I assume status quo will repel hackers – and PCI auditors or, do I make an investment to help ensure a secure network? In the end, protecting consumer data is less costly than dealing with a security breach and precisely why the PCI Council was formed.

The PCI DSS specifies security requirements across many domains, from documentation and physical security to network encryption and software design, all designed to ensure the safe storage, transmission, and use of sensitive cardholder information.

As defined by the PCI Data Security Standard V1.1, “These security requirements apply to all ‘system components.’ System components are defined as any network component, server, or application that is included in or connected to the cardholder data environment. The cardholder data environment is that part of the network that processes cardholder data or sensitive authentication data.”


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th