PCI Data Security Standard Calls for Next-Generation Network Security
by Rob Pollard - Arbor Networks - Wednesday, 13 December 2006.
The widespread use of credit cards for virtually all of our financial transactions has increased exponentially with the rapid adoption of e-commerce throughout the worldwide economy. With the increased use of credit cards comes the increased risk of fraud through credit card information theft and misuse. Stolen credit card data now has a monetary value on the street, and determined thieves have capitalized on failures to protect the data networks of businesses that process credit card transactions. The need to secure credit card transaction data at every level of business has never been greater, and a new set of security and privacy requirements, known as the Payment Card Industry (PCI) Data Security Standard, has created a compliance challenge for all companies that accept credit cards.

The PCI standard holds all businesses that process credit card transactions to a minimum security standard for protecting cardholder data. PCI requires companies to comply with 12 guidelines for protecting and storing data, encrypting data, maintaining security protocols for data access, and establishing strict information security policies. PCI compliant organizations need to assign a unique ID number to every employee who has access to credit card data, and each company must track data access patterns for every employee. It is evident that the PCI standard recognizes that most of the breaches of information security come from the inside, and its requirements address this issue directly, posing a significant challenge for most IT organizations.

The ubiquity of data networks driven by the vast efficiencies in communication and information sharing has given rise to established best practices for external network security. Most network security technologies have been designed for the perimeter, which is an organizationís first line of defense against malicious intrusion while ensuring the safe exchange of data with customers and partners. For the most part, the internal network has been underestimated as an entry point for theft or attack. New approaches to network security must be adopted to eliminate the vulnerability of the internal network.

A new category of holistic network security technology has emerged that blends traditional network security tools that protect the perimeter of the network with network performance technology. The confluence of network security and network performance creates a secure sphere of vigilance from the core of the network to its edge, enabling IT managers to watch for internal breaches of established security protocols at the same time they are monitoring for external infiltration.

PCI compliance requires a shift of attention to the interior of the network. It requires that network security managers know the established network conversation patterns of every employee, who has access to which servers, what data must be encrypted, and how to restrict access to the most sensitive data stores. PCI requires a new breed of security technology that can ensure the same level of security for internal operations as for the perimeter.

The ideal solution would be able to track routine network usage by every employee, identify when and how critical servers are being accessed, harden and segment networks to proactively prevent unauthorized access to confidential information, and prevent attacks from compromising legitimate access to critical information. This new network security solution should perform the following functions to address PCI compliance:


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th