A Fresh New Start Means a Fresh New Look at your PCI Status
Happy New Year! It’s the time of year where many of us celebrate a fresh start and make new resolutions. Your resolution may have been one of the common ones: get to the gym more, stress less, actually use vacation days this year. Website hackers are no different. They make their own resolutions, albeit slightly different ones: attack more, reduce the time it takes to breach a database, take advantage of new attack vectors, and generally, cause more mayhem.
Hackers around the world have stayed hard at work through the holidays and the New Year, though some of the ones working diligently from within an organization to plant viruses and chip away at databases may have taken their kids to Disneyland for a few days. Just like you, they are all back at work with a renewed spirit.
Now that you have settled in after your first week back after the New Year, I’d like to suggest a new resolution to add to your others: take a few hours to review your PCI compliance status. Things change so quickly in the security spectrum, what was secure two weeks ago may be vulnerable today. Your business changes as well. You may accept more credit card payments. Internal groups may have grown or reorganized. You may have been fortunate enough to get a budget to buy another server or firewall.
Here are some ideas to get you started with your own PCI New Year’s resolution.
- Check to see if you are still the same PCI level.
2011 may have been a good year for your business or a not-so-good one. You may have seen an uptick in the number of credit card transactions your organization is processing or a reduction. If your number of credit card transactions has changed, it can affect your level of required PCI compliance. Not doing so can lead to fines and other penalties from the card brands. Again, what matters is the quantity of transactions – not their dollar value.
While you’re at it, look up the SAQ you completed last year so that you know when you submitted it. An SAQ must be submitted every year. Give yourself time to complete a new one before the old one expires.
- Find out where all your cardholder data may be hiding.
You may have submitted a Self-Assessment Questionnaire (SAQ) in 2011 and still feel confident that your cardholder data is centralized in one secure, encrypted database.; however how sure are you that your internal processes have not changed? One small process change could grant your application developers permission to make and store code changes from home. If your developers have this privileged access, cardholder data may indeed be stored outside of your secure database and susceptible to easy access by hackers.
Meet with business owners or managers to review what’s new since the SAQ was submitted; focus on changes in processes, technologies and people. Use a cardholder data discovery tool (perform a search for “cardholder data discovery tool” for several that are available) on corporate systems, shared resources and local machines. Those results may surprise you.
- Review access permissions to cardholder data systems.
During your meetings with business owners or managers, obtain lists of employees that have been hired, fired or have changed their position and compare those names with the current access permissions for systems in the cardholder data environment. Note that these are the systems which process, transmit or store cardholder data. Occasionally, things can move so quickly in small organizations that an employee may change positions from one which requires access to that database storing cardholder data to one which does not, but they still retain that access. Your goal is to verify that every single person or application accessing any cardholder data system has the business need to do so. Anyone or anything else should be removed immediately.
- Verify that documented processes are still being followed.
In order to meet PCI compliance, you had to document policies and procedures for securely configuring and maintaining systems and networking equipment and performing day-to-day operations. This is a critical initiative to ensure that individuals tasked with these responsibilities follow consistent processes to help avoid introducing risk to the cardholder environment. Over time, vigilance with regard to processes can wane and documentation stays untouched. Visit each group responsible for cardholder systems and verify that documented processes are still being carried out and kept updated.
- Ensure that the PCI-required functions are being performed at the required intervals.
Depending on your PCI compliance level, you may need semi-annual firewall and router rule set reviews, quarterly scans for unauthorized wireless access points, retention of anti-virus, network and system logs for 365 days, storage of visitor logs and camera data for 90 days, and so forth. One of the most critical initiatives is the quarterly external vulnerability scan (required to be performed by an Approved Scanning Vendor or “ASV”) of all your external-facing IPs. Perform a check to ensure that the PCI-required functions are still in place so any issues can be caught and resolved before your next PCI assessment.
Visit the ControlScan to learn more about external vulnerability scans.
On behalf of everyone here at ControlScan, I wish you a very happy New Year. If at any point you need assistance with improving the overall security of your cardholder data environment, or need assistance achieving compliance with the PCI DSS, please give us a call: 1-800-825-3301 x 1. We are here to help.