Retail Technology
| Log in | Subscribe
Subscribe | Log in
Retail Technology
Subscribe

Security experts warn on complacency and quick fixes

Security experts warn on complacency and quick fixes

 

All UK Level 1 merchants that process over 6 million transactions a year and accept Visa payments need to comply with the original v1.2 Payment Card Industry Data Security Standards (PCI DSS) guidelines by today, 30 September 2010.

 

The deadline also affects level two, three and four merchants. From now on, any smaller company suffering a breach will be automatically moved up to ‘level one’ status, resulting in additional policies, procedures and higher costs.

 

But Alan Bentley, senior vice president international at endpoint security firm, Lumension, warned: “PCI compliance might have been around for some time, but merchants are still struggling to get their heads around the requirements.”

 

“Version 2.0 is just around the corner. Meaning, merchants not only need to be concerned about their ability to prove compliance with v1.2, but with the steps they need to take to get to the next stage of compliance,” he added.

 

Standards development continues

 

The PCI Council is already working on v2.0, as part of the 36-month standards update lifecycle process. It is due to publish v2.0 at the end of October.

 

Ross Brewer, vice president and international markets managing director at security log management firm, LogRhythm, said: “Many merchants are falling into the trap of viewing PCI DSS as a list of requirements that simply need to be ticked off a list within a specific timeframe.

 

“However, compliance is not a one-time only requirement, instead organisations should approach it as an ongoing process that requires the automation and optimisation of increasingly complex IT and data operations.”

 

LogRhythm also believes that merchants are all too often treating PCI compliance as the responsibility of a single business division, without considering how the measures it prescribes can improve operational efficiency across all areas of the organisation.

 

“Many merchants are taking a siloed approach to PCI DSS, thinking about how it impacts card transaction procedures, rather than viewing it as a set of best practices that can actually improve the performance of the entire business,” continued Brewer. “While such ‘kneejerk’ responses to PCI mandates may seem relatively cheap to implement, in reality they are a false economy. Instead, it makes sense to deploy monitoring solutions that can add value in as many areas as possible, after all, there is a significant difference between simply complying and actually doing something that benefits the business as a whole.”

 

Taking a proactive stance

 

LogRhythm advised merchants that automated, centralised and fully integrated log management platforms, capable of providing deep insight into how IT systems are being utilised across the whole business and on an ongoing basis, should be the cornerstone of their compliance strategies.

 

Indeed, the latest UK Security Breach Investigation Report indicates that, of all the merchants suffering a cardholder data breach in 2010, none were compliant with PCI DSS requirement number 10, which states that merchants must regularly monitor access to network resources as a way of proactively spotting unusual or suspicious behaviour.

 

This position is endorsed by the PCI Security Standards Council, which has released a statement informing merchants that, “It is not enough to validate compliance annually and not adopt security into an organisation's ongoing business practices… Validation to the principles and practices mandated in the PCI DSS plays an integral part in an organisation’s security posture, but basic monitoring and logging cannot be set aside after a security assessment is complete”.

 

Lumension’s Bentley added: “Merchants must avoid detaching risk management from compliance. PCI standards are designed as a starting point to helping build a strong security posture, but are specifically concerned with payment card data.”

 

To achieve true, continuous security across all aspects of the organisation, he said merchants should also gain visibility across security controls and regularity compliance; ensure processes are manageable, automated and repeatable to enable 24-hour compliance and security; enforce security policies with operational endpoint management; prevent the execution of malicious code by allowing only approved applications to run in an environment through intelligent whitelisting; and centralise data gathering to ease compliance reporting and audit workflows.