0

PCI DSS Under Fire

Following the recent security breach at Target, which affected 40 millions customers; ISC2 raised a question, whether PCI DSS is still current and adequately protects cardholder data.

I strongly believe that it does protect cardholder data, if it’s enforced properly throughout the year.

Unfortunately, some people still think that PCI DSS is a silver bullet, which solves all security issues, without additional effort. A week-long assessment, co-signed paperwork and all aspects of security are solved for the next 12 months – that’s how some companies still operate and that’s why they get breached.

So, please consider the following points to improve your security and minimize the chances of your company being breached:

1. Any skilled IT Sysadmin can fool a QSA during the assessment. Systems / servers can be hidden, configuration settings can be tweaked, just to satisfy the QSA during the assessment.

2. A PCI DSS assessment does not prove anything except the fact that a company is believed to be compliant during the timeframe of the assessment, based on the evidence collected. That’s it!

3. Use PCI DSS as a framework to deploy software and hardware, which your staff will use to spot abnormalities, rather than just to satisfy QSAs. Examples: Log Aggregation, File Integrity Monitoring, Intrusion Detection System.

4. Educate your employees and ensure that they do understand the importance of PCI DSS and its requirements. I see lots of frustrated people, who do things automatically to satisfy evidence required for annual audit.

5. Don’t skip requirements. Deploy all mandatory hardware and software. Defense in depth and Layered Security are the only two terms, which can save your company.

6. Always remember: PCI DSS is a bare minimum. Do more! Act faster!

Jake Eliasz

Jake is a Chartered Lead Security Consultant with over 15 years' experience in Information Technology. Jake has performed many consultative engagements for retail, banking and government sectors in the EMEA region. Jake is currently focused on designing security controls, PCI DSS, PA DSS, ethical hacking and security risk/compliance. Prior to working for NCC Group, Jake worked as a Lead Security Consultant - QSA (Ambersail), Security Specialist (CreditCall) and Security Analyst (Symantec), where he was designing, implementing and managing various security controls for large, distributed networks. Jake has graduated from the University of Plymouth with the MSc degree in Information Security.

Leave a Reply

Your email address will not be published. Required fields are marked *