Security as a Checklist? Think Again.
The concept of summarizing Payment Card Industry (PCI) requirements into a simple checklist is a welcome one, especially for merchants without a dedicated security team and budget. These are usually merchants with less than one million in annual transactions and who only recently have been informed by their acquiring banks that they are required to submit their self assessment questionnaire (SAQ), attestation of compliance (AoC), and perhaps their quarterly scans. These organizations are typically labeled as Level 3 or 4 Merchants.
At first inclination, the SAQ offers a welcome concept; a checklist of security controls requiring a simple "yes", "no", or "n/a" answer. It can't be that hard to fill out a simple questionnaire about what your company does for security, right? The topics seem fairly straightforward. Such topics include which individuals have access to your cardholder data. Can anyone get to it who shouldn't? And is your firewall configured correctly so that only authorized traffic can be directed to and from your company and your acquiring bank?
So why make things harder than they appear to be? Why take the path less traveled?
The answer is simple: Hackers are used to companies not taking the path less worn and therefore have learned successful methods of breaking into your company, stealing your cardholder data, covering their tracks, selling the data in an online marketplace, and subsequently ruining your customer relationships, reputation, and brand name recognition. Everything your company spent so much time, energy, and money building can be gone between the time you went to bed and then woke up in the morning. In fact, the 2011 Data Breach Investigations Report states that 86% of breaches were discovered by a third party1, so chances are you won’t know about it until months later when a customer reports the theft of their credit card or identity to their credit card issuer and that path less traveled leads back to your company.
Safeguarding your customers' cardholder data (and any other personal identifiable information for that matter) from both internal and external unauthorized individuals with malicious intent is an on-going battle. As the sophistication of attackers grows, the relative security of your customer data lessens. The 2011 Data Breach Investigations Report states the finding that 92% of attacks discovered in 2010 were not highly difficult and there was a virtual explosion of breaches in 2010 of smaller organizations. Attackers are moving on to easier prey. Security has become a moving target, with the attackers leading the way and discovering new methods of relentlessly penetrating organizations.
Can a security checklist be enough to help you achieve the sufficient security practices and controls to protect your customer data? A checklist captures the practices and controls of the right now -- the moment. In other words, a checklist is only as good as the point in time in which it was written to protect against attacks. But while you were marking "yes" in the column for whether your application developers are developing code for your Web application in a secure manner, attackers have already shared new methods for breaking in with their colleagues in online communities.
A security checklist is an excellent start; however it is a point-in-time evaluation of the strength of your cardholder environment and the policies associated with it. It is only as good as the period of time in which it was completed. An effective program which helps safeguard the privacy of your customer data needs to attempt to keep up with the moving target, which is security.
Things change in your environment. Consider the following common scenarios:
- Your CEO has decided she would like to have wireless network connectivity deployed in the office to make meetings more productive. Wireless is a great tool for aiding in employee communications and productivity, but is the CEO aware of the costs involved with protecting the company from breaches? A misconfigured wireless network is an easy access route for attackers. Recall the TJX breach where 45.6 million credit and debit card numbers were stolen2.
- At the time you completed your SAQ, permission was only granted to those who needed to access certain sensitive systems (those which process, transmit, and/or store sensitive data, including PCI data). What has happened since then when Mary Smith, a user with such privileged access, was moved from Technical Support into Customer Support where she no longer needs it? And was access removed completely for John Brown, a system administrator, when he left the company?
- Your company now employs teleworkers (employees who work from home) who need to access the order management system which also processes credit card payments. How is their identity authenticated when they are connecting from home, so you can be sure that it’s not their brother-in-law visiting from Florida gaining the access? Another area of concern is whether they can write down credit card numbers or print out customer private identifiable information. Do they have access to a shredder? Or, taking a step back, should it even be allowed for them to write down or print out this information?
- Your company has outsourced the development of a new Web application to make it easier for customers to purchase from your company. In addition, customers will now have the option of choosing to store their credit card information for repeat purchases.
- How is this outsourced vendor developing the website? Do they follow secure coding practices which help protect against opportunities for online attackers to easily access your company’s network? Has the website and its code been assessed for gaps or issues before being put into production?
- Vendors release patches for their systems regularly to help protect against discovered vulnerabilities and it is usually up to the company to apply them. Are you current on the latest patches on your cardholder systems? If not, attackers can easily use them as an easy way to gain access to your internal network.
Security, just like everything else, changes. Over the next several months, ControlScan will be updating this space regularly, advising you on best security practices which will lead to achieving and maintaining compliance with the PCI DSS requirements, putting the horse before the cart. If you need expert guidance before then, we stand ready to help. Please contact us at 1-800-825-3301 x 1.
1 2011 Data Breach Investigations Report, A study conducted by the Verizon RISK Team with cooperation from the U.S. Secret Service and the Dutch High Tech Crime Unit
2 TJX data breach: At 45.6M card numbers, it's the biggest ever. Click here to read full article at ComputerWorld.com