Happy New Year! It’s the time of year when many of us celebrate a fresh start and make new resolutions. Your resolution may have been one of the common ones: get to the gym more, stress less, actually use those vacation days this year. And like you, hackers make their own resolutions: attack more, reduce the time it takes to access a private database, take advantage of new attack vectors, and generally, cause more mayhem.
Hackers around the world have stayed hard at work throughout the holidays. Some may have taken time to be with friends and family but now, just like you, they are back at work with a renewed spirit.
So now that you have settled in following the New Year celebration, I’d like to suggest a resolution to add to your others: Take a renewed interest in your PCI compliance status.
Things change so quickly in the security spectrum; what was secure two weeks ago may be vulnerable today. Your business changes as well. You may accept more credit card payments. Internal groups may have grown or reorganized. You may have been fortunate enough to get a budget to buy another server or firewall.
With that in mind, here are some ideas to get you started with your “PCI” New Year’s resolution:
- Check to see if you are still the same PCI level.
Last year may have been a good year for your business or a not-so-good one. You may have seen an uptick in the number of credit card transactions your organization is processing, or a reduction. If your number of credit card transactions has changed, it can affect your level of required PCI compliance. Failing to validate your business’s compliance according to the correct PCI level can lead to fines and other penalties from the card brands. Again, what matters is the quantity of transactions – not their dollar value.
While you’re at it, look up the Self-Assessment Questionnaire (SAQ) you completed last year so that you know when you submitted it. An SAQ must be submitted every year. Give yourself time to complete a new one before the old one expires.
- Find out where all your cardholder data may be hiding.
You may have submitted an SAQ last year and still feel confident that your cardholder data is centralized in one secure, encrypted database; however, how sure are you that your internal processes have not changed? One small process change could grant your application developers permission to make and store code changes from home. If your developers have this privileged access, cardholder data may indeed be stored outside of your secure database and susceptible to easy access by hackers.
Meet with business owners or managers to review what’s new since the SAQ was submitted; focus on changes in processes, technologies and people. Use a cardholder data discovery tool (perform a search for “cardholder data discovery tool” for several that are available) on corporate systems, shared resources and local machines. The results of these investigations may surprise you.
- Review access permissions to cardholder data systems.
During your meetings with business owners or managers, obtain lists of employees that have been hired, fired or have changed their position and compare those names with the current access permissions for systems in the cardholder data environment. Note that these are the systems which process, transmit or store cardholder data. Occasionally, things can move so quickly in small organizations that an employee may change positions from one which requires access to that database storing cardholder data to one which does not, but they still retain that access. Your goal is to verify that every single person or application accessing any cardholder data system has the business need to do so. Anyone or anything else should be removed immediately.
- Verify that documented processes are still being followed.
In order to achieve PCI compliance, you had to document policies and procedures for securely configuring and maintaining systems and networking equipment and performing day-to-day operations. This is a critical initiative to ensure that individuals tasked with these responsibilities follow consistent processes to help avoid introducing risk to the cardholder environment. Over time, vigilance with regard to processes can wane and documentation stays untouched. Visit each group responsible for cardholder systems and verify that documented processes are still being carried out and kept updated.
- Ensure that PCI-required functions are being performed at the required intervals.
Depending on your PCI compliance level, you may need semi-annual firewall and router rule set reviews; quarterly scans for unauthorized wireless access points; retention of anti-virus, network and system logs for 365 days; storage of visitor logs and camera data for 90 days; and so forth. One of the most critical initiatives is the quarterly external vulnerability scan (required to be performed by an Approved Scanning Vendor (such as ControlScan) of all your external-facing IPs. Perform a check to ensure that the PCI-required functions are still in place so any issues can be caught and resolved before your next PCI assessment.
On behalf of everyone at ControlScan, I wish you a very happy New Year and much success with all of your resolutions! If at any point you need assistance with improving the overall security of your cardholder data environment, or need assistance achieving compliance with the PCI DSS, please give us a call: 1-800-825-3301, ext. 2. We are here to help.