|
PCI DSS is a collection of best practice procedures that attempt a drastic reduction of credit card fraud. Its main objective is the setting in motion of a cultural shift towards a more security-centric mentality in all businesses operating within the payment card industry. This need arises from the fact that credit card fraud has sky-rocketed in the last few years, leading to an astounding financial loss of $3028.8 million in the US alone in 2006 (ePaynews.com, 2006). The rise in fraud levels is fuelled by 3 factors:
1. The availability and sheer simplicity of e-commerce, which conveniently overcomes geographical boundaries and, often, any protection offered by local laws and regulations.
2. The high availability of "plastic money" for consumerpurchases in all industrialized nations.
3. Substandard security practices implemented by merchants and merchant service providers that store, process and transmit unprotected payment card details without taking precautions against whoever might tap into this information.
To counter credit/debit card fraud, the 5 major card companies (Visa International, MasterCard Worldwide, American Express, JCB and Discover Financial Services) designed a strong security framework to reinforce payment card transaction security. The result of their efforts was the Payment Card Industry Data Security Standard (PCI DSS).
PCI DSS compliance is today the irrefutable responsibility of all businesses handling cardholder data including retail, mail orders, telephone orders and e-commerce - irrespective of business size.
PCI DSS and event log auditing: What is the connection?
Swiping a credit card at a merchant's shop or clicking the 'purchase' button on an e-commerce website triggers a number of background processes (e.g. transaction validation process) - all of which generate event log entries on servers, security applications, hardware components and lots of other places across the network. Similarly, classic computer attacks and hacks such as dictionary and brute force password attacks generate event log entries in the security logs of your IT infrastructure. The meticulous auditing of infrastructural logs therefore makes it possible for security administrators to monitor system usage trends and identify possible foul play.
PCI DSS requirements address event log auditing by explicitly underlining the need to collect, audit and manage event log data. The need for effective event log management goes beyond a single PCI DSS requirement. For example, PCI DSS requirement 10 dictates that all businesses utilizing payment card information should "track and monitor all access to network resources" - a requirement that can be easily achieved through event log auditing. Other PCI DSS specifications, such as requirement 5 demands that companies "use and regularly update ant-virus software", an activity which again administrators can verify through the event log entries generated within the anti-virus event repository.
PCI DSS specifications extend to all network hardware and software components that are used within environments that store, process and transmit credit/debit card data. These include:
- Core network-security components such as firewalls, routers, Intrusion Prevention Systems
(IPS) and Intrusion Detection Systems (IDS)
- Network segments such as Demilitarized zones (DMZ)
- Servers and business systems hosting DNS services, NTP services, SMTP/POP3/IMAP and other email services, authentication handling, Active Directory policies, web servers and database servers amongst others - Internal or web-facing applications including off-the-shelf and custom-built software.
Consequences and implications of non-compliance
Only companies that take event log management seriously can meet the strict requirements of the PCI DSS. Failing to do so can lead to serious repercussions. Between May 2006 and January 2007, retail giant TJX became a victim of what can be considered to be as one of the greatest computer breaches that ever occurred in the payment card industry. Hackers exploited flaws in a segment of TJX's computer network that handles credit and debit cards, checks, and merchandize return transactions to steal over 45 million credit/debit card records. The stolen information was used in various fraudulent card transactions including the Florida crime spree of March 2007. According to various experts, TJX violated some of the basic tenets of PCI DSS and consequently, this retail giant now faces numerous lawsuits that will eventually lead to severe financial sanctions that can amount up to $500,000 per incident.
|
