How to Avoid the Seven Deadly Sins of PCI DSS FailureMay 30, 2014 by Daniel Humphries
If you’re reading this, then you probably already know that PCI DSS stands for the Payment Card Industry Data Security Standard: a set of compliance regulations applying to every business that accepts, processes, stores or transmits credit card data.
PCI compliance regulations (mandated by the Payment Card Security Standards Council) are so detailed that fulfilling them is a challenge for many businesses. A recent study by IT security firm Fortinet revealed that 22 percent of retailers are not PCI compliant, while an additional 14 percent don’t know if they are PCI compliant or not. But fail an audit, and you can lose the right to process credit card transactions: a death blow for any company.
“Basic guides” abound online, but as Fortinet’s stats reveal, many business owners remain confused. So we decided to try something different. We asked PCI DSS experts to tell us where businesses most often fail a PCI audit—and how to avoid those mistakes. Once your business has addressed these fundamental issues, it should be easier to navigate the labyrinth of compliance. So, let’s get started!
The First Deadly Sin: No Network Segmentation
Jeff VanSickel, a compliance expert at IT security firm SystemExperts, argues that while network segmentation may not be an official PCI requirement, failing to do it is nevertheless the biggest cause of audit failure.
To understand why, consider an illustration offered by Tim Sedlack, a senior product manager and compliance expert at Dell. Sedlack suggests that you view storing your customers’ credit card information this way: “Imagine you’ve bought a big building for your business—if you keep your money in the office, you’ll want to put a lock on that door and only give the key to people who need to have access.”
Pretty obvious, yes? And yet, says, VanSickel, many businesses don’t do this when it comes to storing payment card data in their systems. Indeed, instead of isolating credit card data in its own “office,” companies frequently deploy open, “flat networks,” allowing their sensitive information to mix with their non-sensitive information.
This is a serious error, says VanSickel: “Look at Target—they got hacked because the bad guys got into the network through the HVAC system, and then moved across the flat network to get to the point-of-sale systems.”
Meanwhile, since your flat network effectively grants many people access to the “office” where you keep your money, you will now have to prove to PCI auditors that the entire building is secure. The more of your business that is subject to PCI compliance, the greater the complexity of the task, and the more likely it is that you’ll fail to keep all that data secure.
➔ What should be done?
Network segmentation can be achieved with firewalls and routers, if they are properly configured—which is the job of your IT staff. Sedlack recommends that you take an inventory of what you already own, as you may already have the tools you need. Many security appliances are designed with PCI (or other compliance standards) in mind: “They’ll take you through wizards during the setup to help create a segmented data network.”
The Second Deadly Sin: Inadequate Access Controls
PCI is very clear that you must assign a unique user ID to each person with access to payment card data, which in turn should be restricted on a need-to-know basis. According to Michael Fimin, CEO of change auditing software firm Netwrix, however, this is “one of the of most neglected aspects in the retail industry.”
Fimin says companies often create generic sets of IDs and user names that multiple employees have access to, which means that firms are unable to determine who had access to what in the event of cardholder data theft.
In addition, companies often fail to terminate access when employees leave or are moved to another position and no longer need access to confidential data.
“It’s the area of biggest disconnect between human resources (HR) and IT,” says Fimin.
And the result? PCI audit failure.
➔ What should be done?
There’s no getting around it: You must assign employees with access to confidential customer data unique IDs. You also need to establish a policy that employees never share these credentials with anyone else—and educate employees about best practices.
But it’s also key that HR alerts your system administrator as soon as an individual leaves the firm or changes his or her role within it.
“HR should be proactive,” says Fimin. “And tell IT to terminate access to people when they no longer need it.”
The Third Deadly Sin: Sloppy Logging and Monitoring
PCI requires businesses to track user activity and implement controls such as collecting system logs daily, in order to investigate and report on any suspicious activity. If you’re a small business, you can utilize such tools as scripts and spreadsheets—but the more employees you have, the more time-consuming and difficult this becomes, increasing the likelihood of human error.
“Let’s face it: networks are big,” says VanSickel. “Do you have all the components that you need to be logging and monitoring switched on—that is, across the entire network, from desktop to server to firewall? There are experts in the field who know how to do it, but not a lot of experts who grasp the scope of what you should log and [on] what devices you should have logging turned on.”
➔ What should be done?
You probably already have the audit trail viewing tools you require. For instance, if you are using a Windows server, then you can switch on Event Viewer, a tool that will provide visibility into your system. However, native tools can lack scalability, are sometimes difficult to interpret and may not have enough capacity to haul the data.
Sedlack recommends event logging and change reporting software, which is available from several vendors—including Dell, which makes ChangeAuditor for real-time change auditing and Enterprise Reporter for state-based security and configuration reporting.
VanSickel suggests Splunk, a log management and data analysis tool that can be used to aggregate and correlate events, alerting your security staff to suspicious activity on the firewall and potentially unauthorized access on sensitive servers.
Larger businesses with thousands of servers turn to enterprise-level Security Information and Event Management (SIEM) tools that collect every single audit trail from all kinds of systems, and provide business intelligence tools for analysis (Splunk, too, scales up to this level). However, a SIEM system can cost around $100,000 just to install, and after that you would have to hire staff to administer it. So, this is an option for firms with massive IT budgets only.
The Fourth Deadly Sin: Feeble Firewalls and Rotten Routers
Do you know which doors the public can access in your business, and which ones you keep locked? I’m sure you do. Do you shut the doors and windows of your business at night? Again, I’m sure you do. But what about the “doors and windows” to your network?
PCI mandates not only that you have strong controls over your firewalls and routers, but also mandates precisely how you configure them, to make sure the “doors and windows” are set up in such a way that only the right kind of traffic is able to enter and leave the network.
In addition, PCI requires businesses to review firewall and router rules every six months to confirm that every connection into and out of a network is documented.
And yet, according to VanSickel, many companies “feel they already have strong controls, and don’t feel the need to do that type of review.”
The result? Audit failure.
➔ What should be done?
There’s no shortcut: you have to read the rules and configure your firewalls and routers correctly. And then you must check them every six months.
But, as VanSickel says, it’s for the best. Companies instinctively monitor and try to stop bad people from getting in—but if they do get in, the bad people also need to get the customer information out. Correctly configuring your firewall and routers can make that task much more difficult.
The Fifth Deadly Sin: Errors of Encryption
First, VanSickel argues that since data storage has become very cheap, firms today store much more confidential information than is necessary. PCI requires you to encrypt your customers’ confidential data at all times, which may sound straightforward—but multifarious opportunities for failure lurk in the details.
“People want to keep data so they can mine it for marketing purposes. But the big question is ‘why?’ Storing all those credit card numbers throws your business open to risk. The more sensitive stuff you store, the more likely you are to fail to encrypt it, or find it all,” he says.
Fimin adds that complacency also plays a part in audit failure.
“A business might say, ‘I have my servers protected, my access rights are configured and I have physical security, so no one can steal my data.’ But if someone does steal a server from one of your retail locations and gets the hard drive out, he will be able to read and steal the data if it is not encrypted,” he says.
Meanwhile, Sedlack says that an increasing number of businesses are storing data in the cloud—and assume that they are outsourcing the responsibility of encrypting that data when, in fact, it remains their responsibility.
“I see this quite a bit,” he says. “Employees who have access to PCI-related data open up a Web browser and point to one of the well-known cloud storage vendors, like Dropbox, but they have opened themselves up to audit failure because they could be storing unencrypted data out in the cloud.”
The problem with offsite data storage centers is that the business owner does not hold the encryption key—the service provider does. So if the provider is hacked, your data will be exposed, while employees at the provider who do have the encryption key will also be able to see what you are storing.
And so you fail.
➔ What should be done?
Encrypting data in transit is not so complicated, says Fimin. Here, you just have to make sure you are using standard mechanisms such as HTTPS, the common protocol used to access a secure Web server, or a Virtual Private Network (VPN) connection.
When it comes to encrypting the confidential data stored on your servers and hard drives, however, you have no choice: you must encrypt it all yourself, whether you keep it onsite or store it in the cloud.
“It’s a pain in the neck,” says Fimin, “But it’s less painful than the consequences of a leak.”
VanSickel stresses that the less data you store, the less you will be responsible for—and the less you will have to prove is secure to a PCI auditor.
Most businesses shouldn’t need to store more than the last four digits of a customer’s credit card, he says: “Limit the data that you hold which is subject to PCI to the absolute justifiable minimum.”
The Sixth Deadly Sin: Really Dumb Passwords
It’s security 101: don’t use really dumb passwords. You know, things like “password” or “123456.” And yet, even after a seemingly infinite number of articles on the topic, many businesses are still committing this most basic of errors, says Fimin.
In fact, PCI is extremely detailed when it comes to passwords. For a start, you cannot use the default passwords that come with your systems, and yet many businesses often revert to them, Fimin says. You have to create your own, and there are many rules to observe.
For instance, you need to set a minimum password length of seven characters, and mix uppercase and lowercase characters and numbers. You also have to change passwords at least every 90 days. Oh, yes, and you cannot use any passwords you have used in the last two years. On top of that, if a user enters a password incorrectly six times, they must be locked out of the system for 30 minutes, or until an administrator re-enables access.
Of course, that level of detail is why businesses fail audits over passwords—because typing in “password” is just so much easier, isn’t it?
➔ What should be done?
Staff (or even management) may resist the complexities of PCI-compliant passwords. This is another argument for segmentation: If you restrict access to payment card data only to those whose work absolutely requires it, then you will limit the number of individuals who have to abide by these rules, and thus reduce the likelihood of human error.
But you can also enforce these policies using systems you probably already have. For instance, the Active Directory mechanism in Windows servers enables you to set rules defining password complexity, password length and account lockouts.
The alternative to learning how to do this is not just audit failure—but a potentially catastrophic breach over one of the simplest things to control.
The Seventh Deadly Sin: Dubious Drafts of Documents
PCI mandates that companies draft and maintain policies and procedures. The problem here is that businesses often forget that these are “living documents.”
“People tend to stick [the policy document] on a shelf and not keep it up-to-date, or disseminate what’s in it,” says Sedlack. “The result is that the people in the business touching credit card data might be making decisions putting the business at risk of PCI failure.”
VanSickel adds that since configuring a network to be PCI compliant is usually the job of technical staff, it’s frequently the same tech staff who write the accompanying documentation.
“The problem is that tech experts are more focused on ensuring that what you build and deploy is operationally secure than on drafting policies and procedures,” he says.
Auditors, however, are focused on evaluating whether the deployed configurations match what’s documented. And in the gap between the two, failure awaits.
➔ What should be done?
Keep your policy documents up-to-date. VanSickel suggests an even simpler solution. If you’re not confident that your policies are detailed or current enough, then hire an expert security consultant to review them and help with writing them.
“Its a lot less money than going out and buying another piece of hardware,” he says. “All it involves is for the consultant to conduct a couple of interviews with your tech people to understand what’s deployed, and then [document] it. It’s not that difficult once it’s written to keep it up-to-date.”
A Shortcut: Outsourcing PCI Compliance
There’s no denying that PCI compliance takes a lot of time and effort to get right. It should: you’re securing the lifeblood of your business. But, says VanSickel, if you use a service provider to manage your IT requirements, then you have another option: You can outsource the PCI pain by putting compliance in the contract. Here, specific phrasing is key.
“Lots of companies don’t do their due diligence, or the legal department will make generic statements, like ‘must be PCI compliant,’ says VanSickel. “But they don’t talk about how. So it’s critical that you state that the provider must prove to you on an annual basis that your systems are PCI compliant.”
Ultimately, however, though PCI compliance can feel like a burden, it’s important to remember that the rules exist for a good reason.
As VanSickel says: “I would rather a PCI auditor find something that I can fix now, instead of having to deal with the fines and reputation hit of having to deal with a security problem after a breach—the CEO and chief information officer were forced to resign after Target breach.”