Mandated by Visa USA in June 2001, the Cardholder Information Security Program (CISP) is a set of security standards aimed at protecting credit card information wherever it resides to ensure members, merchants, and service providers maintain the highest information security standard. In 2004, through a collaboration between Visa and MasterCard, the CISP requirements were incorporated into the Payment Card Industry (PCI) Data Security Standards (DSS) or PCI DSS, to create a common industry standard that is accepted internationally by all major credit card issuers. Currently, Visa maintains the standard and compliance program of PCI DSS.
Implications of non-compliance can be severe. Non-compliant organisations can be fined as much as £500,000 per incident of data theft and this does not include the punitive damages, loss of company reputation, and/or even jail time the corporate officers may face. The PCI DSS requires merchants to deal only with third party service providers that adhere to the payment card security standards. Although it is obvious that PCI is applicable to retailers and ecommerce sites, it affects all organisations that accept credit cards for payment of products or services, such as a doctor’s surgery or a university’s bursar.
The PCI DSS mandates 12 requirements an organisation must perform to be considered in compliance, including ‘Install and maintain a firewall configuration to protect cardholder data’, ‘Protect stored cardholder data’ and ‘Track and monitor all access to network resources and cardholder data’. However, it’s a fallacy that if an enterprise ‘ticks all the boxes’ it will be protected from attack. PCI compliant organisations can, and do, get breached. This is because compliance fluctuates and is constantly evolving.
It is therefore crucial to monitor for compliance in a manner as close to real time as possible to ensure the organisation does not drift out of compliance over time. The greater the gap between monitoring cycles, the more likely it is for compliance violations to occur undetected.
As such, effective from June 30th 2012, PCI now requires companies to provide evidence of quarterly internal vulnerability scans and both internal and external vulnerability scans after any significant network changes. The new update also requires the assignment of risk rankings to all vulnerabilities discovered during vulnerability scans, and evidence that all ‘high’ risk vulnerabilities discovered during scans are resolved.
Enterprises therefore need to evolve their standards and audit requirements to reflect the need to monitor compliance levels over time, continuously, to maintain a secure working environment. By taking a unified security monitoring approach using real-time and passive vulnerability scanners and a log correlation engine, enterprises can implement a risk protection and threat correlation capability that radically improves response and increases security effectiveness. Being able to watch traffic in motion, in real-time, can place an enterprise ahead of the game when it comes to noticing anomalies and ‘high’ risk vulnerabilities.
Compliance thereby becomes an after-effect of a combination of good vulnerability management coupled with a strong configuration and event management strategy.
By adopting a unified security monitoring approach to PCI compliance, enterprises can go beyond the box ticking – meeting the raised stakes set by the PCI, and staying ahead of the game.