How do organizations pass their PCI DSS audits yet still suffer security breaches? Paying attention to PCI DSS checklists only partially secures the cardholder environment. Learn the next steps for fully securing your data.
Beyond PCI Checklists:Securing Cardholder Data with Tripwire's enhanced File Integrity Monitoring
white paper
Configuration Control for Virtual and Physical InfrastructuresContents
4 The PCI DSS Configuration Controls 6 The PCI DSS Change Process Controls 8 How Tripwire Helps 9 Meeting PCI Requirements and Securing the Data Center
2 | WHITE PAPER | Beyond PCI ChecklistsIntroduction
According to the New York Times, on January 19, 2009, and present the primary risks that they are designed to miti-Heartland Payment Systems disclosed that they may have gate. These controls span most of the PCI DSS requirements, exposed the credit information of tens of millions of credit either implicitly or explicitly.and debit card holders in what may be one of the largest data In Part I we discuss the first area, configuration controls, compromises to date. Heartland had been compliant with the which require that specific configuration settings are correct. Payment Card Industry Data Security Standard (PCI DSS), the Returning to the airplane analogy, in a pre-flight checklist, standard designed by the major credit card companies to "pro- configuration controls equate to checking that fuel levels are tect consumers, merchants and banks from the theft or loss of correct, the baggage door indicator light indicates the door is credit information and any subsequent fraudulent activity."1 closed, the flaps are in the correct setting for takeoff, and so The Heartland security breach illustrates a concerning trend forth. toward organizations achieving PCI compliance, but still suffering In Part II we discuss the second area, change process con-a major breach. trols, which ensure required activities have been completed properly. In a pre-flight checklist, these equate to ensuring Being PCI Compliant Does Not Ensure Security that the pilot checks that the flap controls have the appro-The PCI DSS applies to any organization that accepts, stores or priate range of motion, that all maintenance issues were processes payment cards of any type and is a comprehensive appropriately addressed, the pilot has signed all the required checklist of actions these organizations must take to improve forms, the flight attendants correctly performed the safety pre-the security of global payment systems. Although the adoption sentation, and the pilot and copilot visually check the runway of PCI DSS by an organization will most likely improve its secu- for other plans before takeoff, and so forth. These activities rity posture, being compliant with the PCI DSS does not ensure must be validated not just at one point in time, but regularly the organization is secure. over an entire period of time (i.e. the entire year between As security practitioners, if we mechanically follow the PCI PCI audits).DSS checklist and our organization suffers a data security breach, we are still held responsible, and our organization still The Intent of Configuration and Change gets fined, suffers brand damage and may lose its ability to Process Controlsprocess credit card transactions. While checklists are useful For the PCI DSS, configuration controls ensure that all comput-tools, following them can lull us into a false sense of security. ing systems2 in the cardholder data environment are configured To rely solely on the PCI DSS checklists to secure cardholder correctly. For example, PCI DSS Requirement 1 deals with fire-data is similar to a pilot relying only on the pre-flight checklist walls, and includes requirements that all firewall settings are before takeoff, then colliding with another plane during take- set to "deny all," that audit logging is enabled, that required off. A checklist is not enough. password aging is enabled, and so forth.In reality, the goal of effective security controls is to prevent On the other hand, change process controls ensure all security breaches from occurring, and when they do, to allow changes to those computing systems in the cardholder data quick detection and recovery. This requires not just following a environment were adequately tested, authorized and verified. checklist, but understanding the organization's compliance and For example, PCI DSS Requirement 1 also requires evidence security objectives, understanding what the top risks to achiev- that all changes to firewall rules are detected and authorized ing those objectives are, having adequate situational aw... [download for more]
