PCI DSS Under Fire

Following the recent security breach at Target, which affected 40 millions customers; ISC2 raised a question, whether PCI DSS is still current and adequately protects cardholder data.

I strongly believe that it does protect cardholder data, if it’s enforced properly throughout the year.

Unfortunately, some people still think that PCI DSS is a silver bullet, which solves all security issues, without additional effort. A week-long assessment, co-signed paperwork and all aspects of security are solved for the next 12 months – that’s how some companies still operate and that’s why they get breached.

So, please consider the following points to improve your security and minimize the chances of your company being breached:

1. Any skilled IT Sysadmin can fool a QSA during the assessment. Systems / servers can be hidden, configuration settings can be tweaked, just to satisfy the QSA during the assessment.

2. A PCI DSS assessment does not prove anything except the fact that a company is believed to be compliant during the timeframe of the assessment, based on the evidence collected. That’s it!

3. Use PCI DSS as a framework to deploy software and hardware, which your staff will use to spot abnormalities, rather than just to satisfy QSAs. Examples: Log Aggregation, File Integrity Monitoring, Intrusion Detection System.

4. Educate your employees and ensure that they do understand the importance of PCI DSS and its requirements. I see lots of frustrated people, who do things automatically to satisfy evidence required for annual audit.

5. Don’t skip requirements. Deploy all mandatory hardware and software. Defense in depth and Layered Security are the only two terms, which can save your company.

6. Always remember: PCI DSS is a bare minimum. Do more! Act faster!


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.