By Tim Cranny
Panoptic Security Inc.
This installment of our multipart series on the Payment Card Industry (PCI) Data Security Standard (DSS) drills down on the ninth of the PCI's 12 requirements. Herein, I will discuss the issues, what merchants need to do, and what ISOs, merchant level salespeople and other service providers can do to help merchants achieve compliance.
Requirement 9 is "Restrict physical access to cardholder data." It is the third and final part of the PCI section titled "Implement Strong Access Control Measures."
The first part of that section (Requirement 7) sets forth the general high-level principles of access control; Requirement 8 provides technical details about access controls for computers; Requirement 9 contains specifics on the other main area of access control: physical security.
The core idea behind Requirement 9 is simple: your computer systems and records are not safe unless you stop attackers from physically getting their hands on them. This is obviously true for paper records, but most people don't appreciate that it is also very much true for computers.
Too many merchants think breaches are always a long-distance, over-the-Internet thing. In reality, several types of attacks on computers that are almost unstoppable once underway can only be launched when the perpetrator is physically sitting at the computer under attack.
In this situation, expensive and sophisticated security software and devices are less useful than a good deadbolt or burglar alarm. What merchants need to do, and what PCI demands they do, is use the right physical security solutions (locks, alarms and security cameras, for example) in addition to the right software and devices.
Requirement 9 is an example of defense in depth, a core security principle that entails using multiple overlapping security solutions so that if one of them fails or is not activated, others can still protect you.
The good news is few challenges are associated with this requirement. Also, Requirement 9 is easy to understand: unlike most sections of the PCI DSS, the average merchant can read through the list of details and not get confused by technical jargon. Furthermore, it's easy to understand what the problem is, as well as the 'what' and 'why' of situations governed by the requirement.
In Requirement 9, as in other PCI requirements, merchants with more complex or risky environments face a heavier, more complicated documentation and compliance burden.
Merchants might think physical security is the one area where computers and electronic records don't make much of a difference, but that is not true. In reality, merchants with multiple computers and/or electronic records have much to identify and protect. They need to address the physical security of the computers themselves, network jacks, wireless access points and so on.
Physical media (paper documents, CDs, thumb-drives, et cetera) need a surprising amount of attention as well, since merchants must be careful in organizing and classifying these media correctly, as well as in thereafter protecting, tracking, controlling and even destroying sensitive ones, as required.
To comply with Requirement 9, merchants must make sure unauthorized people (including unauthorized staff) can't get their hands on anything sensitive, including POS equipment, computers, paper records, electronic files and so on. The associated tasks can be broken down into the following five general categories:
Paper should be cross-cut shredded, burned or pulped. Hard disks, thumb-drives and so forth should be physically smashed, not just erased through reformatting. (Memory devices are getting cheaper every month, so it isn't expensive to follow such a policy. It can be far more expensive not to do so.)
Requirement 9 is one of the simplest, do-it-yourself parts of PCI compliance, so there are relatively few opportunities for ISOs and other portfolio owners to do much good (or harm, for that matter).
A small percentage of merchants might want assistance finding point solutions like shredders or video cameras, but other parts of PCI DSS compliance will be far more painful and demanding.
So Requirement 9 should be a minor background issue most of the time.
ISOs and other merchant service providers should emphasize to merchants that, although it is simple, Requirement 9 is just as critical as the more complicated parts of PCI, and then spend most of their time helping merchants ensure that their PCI programs can deal with the messier, more demanding aspects.
Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at email@example.com or 801-599 3454.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next