Change and Configuration Solutions Aid PCI Auditors
by Matt Clark - Network Engineer at Voyence - Monday, 10 March 2008.
This definition has indeed caused some heartburn among merchants, as they refer to these standards as too broad in scope ó or too narrow in some instances ó to actually comply with. In essence, there are 12 requirements and approximately 178 sub requirements to deal with.

Furthermore, organizations are required by credit card companies to comply with all these security requirements or face stiff penalties. Case-in-point: Under the new penalties issued by VISA last year, acquirers will be fined between $5,000 and $25,000 a month for each Level 1 or Level 2 merchant that is not validated PCI compliant by September 30, 2007, and December. 31, 2007, respectively.

However to add a twist, there is also an interesting cavetto to the all-or-nothing approach PCI mandate, found in Appendix B of the PCI Data Security Standard v1.1 requirements called, Compensating Controls. According to PCI Security Councilís Glossary, ďCompensating controls may be considered when an entity cannot meet a requirement as explicitly stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement [3.4] through implementation of other controls.Ē

Requirement 3.4 deals with the Primary Account Number (PAN), or the payment card number that identifies the issuer and the particular cardholder account. The compensating controls may consist of either a device or combination of devices, applications and controls that meet all of the following conditions:
  1. Provide additional segmentation
  2. Provide ability to restrict access to cardholder data based on:
    1. IP/MAC Address
    2. Application Service
    3. User Accounts/Groups
    4. Data Type
  3. Restrict logical access to the database
  4. Prevent/detect common application or database attacks
Given all the routine daily tasks that must be performed by the IT personnel, no wonder itís a seemingly impossible task to interrupt and implement PCI DSS. So it stands to reason why VISA recently reported that only 40% of Level 1 and one-third of Level 2 merchants have validated PCI compliance.

With so much riding on PCI compliance, network managers are increasingly turning to software to automate specific steps in the compliance process. Automation, if done correctly, helps facilitate the planning, management, review and documentation processes as well as assist with creation, implementation and enforcement of a PCI compliant security policy across the entire network infrastructure.

Network change and control helps demonstrate PCI DSS requirements

The PCI Security Council recognizes that network security is not a destination but a process, and that the ability to reliably control the security of the network is dependent upon the establishment of solid change control processes. Network change policies should be clearly documented, easily accessible to users responsible for daily management of the network, and regularly reviewed and approved by management.

Change processes should include validity checks and management approval for all outgoing changes, and change verification and compliance checks after a change has been made. Itís not enough for an auditor to see that a device has been configured correctly, or even that a set of written procedures exists. To verify that an appropriate change control process is in place, the auditor will want to see evidence that the documented process has been followed on a daily basis.

Beyond describing the change control processes that must be in place, PCI also requires the existence of specific network device configurations such as access-lists and strong encryption. Border routers and firewalls should be configured with explicit access-lists allowing communication only across standard ports which serve a valid business purpose.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th