The Green Sheet Online Edition
January 28, 2008 • Issue 08:01:02
Requirement 10: PCI's Everest
Complying with the Payment Card Industry (PCI) Data Security Standard (DSS) is a mandate for all merchants, regardless of acceptance channel and transaction volume. However, some requirements of the PCI DSS are more difficult to comply with than others.
In fact, my investigation of payment card compromises and PCI DSS audits of various merchants demonstrate that requirement 10 - track and monitor all access to network resources and cardholder data - proves especially difficult for merchants involved.
In my research of 350 card compromise cases, more than half of the merchants involved failed to comply with requirement 10. Also, during initial PCI DSS audits of Trustwave's customers, 70% of them needed to remediate deficiencies within their network environment to comply with the 10th rule.
Follow the basics
Tracking and monitoring all access to network components and cardholder data is no easy feat. For example, the PCI DSS requires that audit trails record the following network events:
- Access of cardholder data by individual user
- Actions taken by users with root or administrative privileges
- Access of audit trails
- Invalid access attempts
- User log-in
- Audit log initialization
- Creation and deletion of system-level objects
The PCI DSS also requires that for each of these events, the following information, at the least, be recorded:
- Date and time
- Success or failure
- Name of affected data, component or resource
Any entity that processes, stores or transmits payment card information must comply with the PCI DSS. Thus the standard's requirements are at the front of many merchants' minds, but monitoring and logging are basic tenets of any data security plan.
Bulk up on security
Monitoring and logging network events can strain any organization's resources, but the difference between implementing and not implementing logging measures can determine the severity of a security breach.
Critical files, such as those containing cardholder data or other sensitive information, must be monitored for unauthorized changes. If attackers are able to penetrate a network, they may attempt to add additional user accounts with administrative privileges.
Once attackers have gained administrative privileges, many times they can then access any asset on a network and begin copying sensitive information and sending it off-site.
Regular review of audit logs would alert a merchant or network administrator to foul play. But hackers do not work from 9 a.m. to 5 p.m. It's more likely that an attack on cardholder data will take place at 3 a.m. - the perfect time to invade a smaller merchant who doesn't have the resources to maintain a 24/7 security staff. And without continual, real-time monitoring of the logs, an alert may come too late.
Many operating systems provide default software programs that can log this information. However, requirement 10 calls for more than just the recording of events. Merchants must also review firewall, router and wireless access points and authentication server logs at least daily for unauthorized traffic and access attempts.
To complicate matters, depending on the systems running on a merchant's network, each device may perform its own form of logging. Without information technology (IT) staff expertise, it's unlikely these logs would make sense to the average merchant.
Even with in-depth IT knowledge, consolidating logs from multiple devices deployed across an entire network and presenting them in a way conducive to analysis would require a full-time IT employee, if not an entire staff.
The complexity of a merchant's environment also affects the amount of logs that need monitoring.
Without a centralized process by which event logs can be correlated, it becomes increasingly difficult for merchants to gain insight into what's occurring on their networks. While they may have enabled logging on their network devices, they find themselves buried in log data rather than at a vantage point with actionable information.
Fortunately, a number of information security companies have developed automated solutions to help merchants address the challenges of log tracking and monitoring around the clock. By allowing an outside data security expert to take over the monitoring of logs, a merchant not only saves money, but gains peace of mind.
While merchants may be baffled by the barrage of data streaming from their network devices, an experienced data security company monitoring merchants' logs can provide insight into the security status of their networks, and maintaining in-house staff becomes unnecessary.
To show that you're concerned about your merchants' needs, consider using an information security service, along with your payment solutions. Merchants will know you have their well-being in mind because you will be offering not only secure payment services and technology, but also data security solutions that protect their businesses.
Michael Petitti is Chief Marketing Officer of Trustwave and is responsible for all of the company's marketing initiatives. He serves on the Merchant Risk Council's board of advisers and on The Green Sheet Inc. Advisory Board. Call him at 312-873-7291 or e-mail him at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.