Blog Teknologi Internet dan Web | HeruPurwanto.com™ Semua Tentang Teknologi Internet,Tips dan Trik Internet, Tips dan Trik Komputer,Dan cara membuat website

Incidents of ID theft and payment card fraud are skyrocketing. Organizations that process card transactions or store payment information are scrambling to keep up with these attacks and effectively safeguard consumer information. In response to these heightened security concerns, and the culmination of two years of feedback and suggestions from the industry, the PCI Security Standards Council released version 1.2 of the Payment Card Industry (PCI) Data Security Standard on October 1, 2008.  The updates clarify and ease implementation of the standard for cardholder account security. Version 1.2 is effective immediately.

PCI DSS compliance is paramount for a merchant, its customers, and the industry. By adhering to this security standard, retailers, service providers and allied organizations can dramatically reduce the vulnerabilities that are easily exploited for the purpose of compromising corporate data.

However, adhering to the standard is often easier said than done. PCI contains a fairly comprehensive set of technical, physical and administrative requirements. Implementing a security compliance program, and maintaining a strong security posture capable of warding off attacks and protecting cardholder data has proved to be a significant challenge for a majority of affected organizations. Gathering information for self-assessments and preparing for third-party audits only increases the workload of the IT staff. Many affected organizations lack automated performance measurement capabilities and validation processes necessary to prove compliance and appropriate diligence in managing cardholder information.

We will summarize the material changes to the PCI DSS that can effect your organization. We also offer recommendations for additional steps that you can take to help go beyond a check-the-box compliance audit to ensure you have adequate security practices and technology to protect your organization and customers after the ink is dry on the audit findings report. Specifically, we encourage all organizations that must comply with PCI DSS to leverage the right technology solutions to help them perform pre-audit reviews and self assessments and establish a culture of continuous compliance and security.

What is new in the most recent PCI DSS update?

Let’s start by looking at what did not change.

PCI DSS continues to apply to merchants, acquiring banks, issuing banks, payment processors and other allied service providers that process, store, transmit or dispose of consumer card information. All organizations that do business with VISA, MasterCard, Novus, American Express and other association members are required to follow the standard or face substantial fines levied by the card associations.

The penalties for noncompliance are significant. The card association rules specify that the acquirer (merchant bank) is responsible for ensuring that each merchant is compliant with the PCI DSS. The merchant agreement between the acquirer and the merchant requires the merchant to be compliant with the PCI DSS. The merchant banks pass this liability on to the merchants by way of terms contained in their standard merchant agreement.  Noncompliant merchants will also be exposed to the risk of class action and other civil lawsuits in the event of a data breach of consumer information.

The cardholder data and any network component, server, or application that is included in or connected to the cardholder data environment continues to be the primary focus for the PCI DSS.

The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include but are not limited to the following: web, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (Internet) applications.

Now let’s take a look at what has changed.

A majority of the PCI DSS Version 1.2 changes added clarifying language to several requirements. While most were minor in nature, we have included a summary of the most significant changes.

1. Configuration requirements apply to both routers and firewalls. Added flexibility to allow for a review of firewall and router rule sets to “at least every six months” so that controls can be customized to an organization’s risk management policies.
2. PCI DSS requirements apply to wireless environments that are “attached to cardholder environment or transmitting cardholder data.” WEP is no longer acceptable, which emphasizes the need to use strong encryption technologies for wireless networks, for both authentication and transmission such as WPA or WPA2. SSIDs may now be broadcast. Since the SSID is broadcast over numerous other messaging and communication channels, disabling SSID broadcast does not prevent malicious users from determining the SSID.
3. Added minor clarifying and explanatory language. No major changes.
4. PCI DSS requirements apply to wireless environments that are transmitting cardholder data “or connected to cardholder data environments.” Added the requirement to implement wireless according to best practices (e.g., IEEE 802.11i) to emphasize the need to use strong encryption technologies for wireless networks, for both authentication and transmission. WEP is no longer acceptable. WEP is prohibited on new wireless implementations after March 31, 2009. WEP is prohibited for current wireless implementations after June 30, 2010.
5. Anti-virus software or programs apply to all operating systems that are commonly affected by malicious software, if applicable anti-virus technology exists.
6. Requirement 6.6 is no longer a recommended best practice – it is now mandatory. It was clarified to apply to public-facing web applications to address new threats and vulnerabilities on a continuous basis. Applications can be reviewed with manual or automated vulnerability assessment tools or methods. Applications should be reviewed at least annually for all changes. Patch requirements are now more flexible to align with an organization’s risk management policies.
7. Added minor clarifying and explanatory language. No major changes.
8. Added minor clarifying and explanatory language. No major changes.
9. Added clarifying language for video cameras and other access controls. Added a requirement to review the security of the off-site storage location at least annually and changed the review cycle from “periodically” to “at least annually.”
10. Added additional language to clarify types of events that must be logged.
11. Added additional focus on testing for the presence of wireless access points and implementing wireless IDS/IPS. Clarified that qualified internal personnel an external third parties can perform penetration tests.
12. Clarified that employee acknowledgement of the security policies and procedures must be done at least annually and in written or electronic form.

These changes, though important, did not alter the primary focus of the PCI DSS. The primary focus of the PCI DSS calls for the continuous management and monitoring of the cardholder data and the cardholder data environment to effectively manage both security and compliance.

Many organizations are realizing that this is a sleeper provision of the PCI DSS. In short, compliance with the PCI DSS does not ensure security and may still leave you open to fines and lawsuits in the event of a data breach. The Hannaford Bros. grocery store chain found this out the hard way.

Hannaford Bros. was certified as PCI compliant and then experienced a breach of 4.2 million credit and debit card numbers. Several class action lawsuits have been filed against Hannaford, charging negligence and breach of promise for allowing the intrusion to happen. Hannaford has since announced that it will implement Triple DES encryption on PIN pad devices, new intrusion-prevention systems, and other additional security measures.

Hannaford Bros learned that a compliance strategy that does not also strive to create a culture of continuous security is flawed. The reason is that a typical PCI DSS audit is specific to a point-in-time, while the risk and threats that the PCI DSS are intended to address occur in real-time 24/7. PCI DSS compliance and security practices need to create an ongoing process where merchants can monitor, measure and report.

Merchants must go beyond a check-the-box audit or self-assessment to ensure they have the capabilities and controls to continuously comply and protect cardholder data all of the time – not just at the time of the audit or attestation for compliance. All affected organizations must have appropriate risk management and data security practices and solutions that address the true intent of the PCI DSS Requirements and Security Assessment Procedures or self assessment questions to enable PCI DSS compliance and security or they will:

• Be out of compliance before the ink is dry on their annual audit or self assessment questionnaire.

• Be faced with the possibility of bankruptcy.

No related posts.