The PCI standard holds all businesses that process credit card transactions to a minimum security standard for protecting cardholder data. PCI requires companies to comply with 12 guidelines for protecting and storing data, encrypting data, maintaining security protocols for data access, and establishing strict information security policies. PCI compliant organizations need to assign a unique ID number to every employee who has access to credit card data, and each company must track data access patterns for every employee. It is evident that the PCI standard recognizes that most of the breaches of information security come from the inside, and its requirements address this issue directly, posing a significant challenge for most IT organizations.
The ubiquity of data networks driven by the vast efficiencies in communication and information sharing has given rise to established best practices for external network security. Most network security technologies have been designed for the perimeter, which is an organizationís first line of defense against malicious intrusion while ensuring the safe exchange of data with customers and partners. For the most part, the internal network has been underestimated as an entry point for theft or attack. New approaches to network security must be adopted to eliminate the vulnerability of the internal network.
A new category of holistic network security technology has emerged that blends traditional network security tools that protect the perimeter of the network with network performance technology. The confluence of network security and network performance creates a secure sphere of vigilance from the core of the network to its edge, enabling IT managers to watch for internal breaches of established security protocols at the same time they are monitoring for external infiltration.
PCI compliance requires a shift of attention to the interior of the network. It requires that network security managers know the established network conversation patterns of every employee, who has access to which servers, what data must be encrypted, and how to restrict access to the most sensitive data stores. PCI requires a new breed of security technology that can ensure the same level of security for internal operations as for the perimeter.
The ideal solution would be able to track routine network usage by every employee, identify when and how critical servers are being accessed, harden and segment networks to proactively prevent unauthorized access to confidential information, and prevent attacks from compromising legitimate access to critical information. This new network security solution should perform the following functions to address PCI compliance: