PCI DSS and IT security: adapting to new challenges and changing times

One of today’s hottest topics in the news, as well as in corporate conference rooms and IT teams is data security. It seems that hardly a day goes by without another high-profile story of computer hacking, identity theft or credit card data breaches. This is unfortunately becoming the new reality for businesses, consumers and the government.

So, what can organizations do to protect themselves and the customers and business partners that have entrusted them with valuable data? At the very least, it would seem that learning from past experience or even from the mistakes of other organizations is a reasonable place to start. From there, existing strategies can be evaluated and a suitable plan of action to improve security measures can be developed, if necessary.

It often seems, however, that many organizations still aren’t getting the message. Despite a number of high-profile retail and consumer data breaches in recent years, many financial and retail organizations still don’t appear to have sufficient data security, as the breaches continue.

It should be clear by now that all organizations are potential targets, but particularly vulnerable are those organizations that routinely handle large volumes of sensitive consumer and corporate financial data. Unfortunately, some organizations continue to disregard the warning signs and the tremendous financial impact of a data security breach, by deferring or delaying necessary IT security upgrades.

While there may not be a single answer to this issue, a few possible reasons become evident. First, the significant time and cost of reviewing and updating enterprise wide IT security is a major burden for many organizations – particularly for those with large, heterogeneous enterprise computing environments. Also, vague, confusing or ambiguous guidelines and language contained in government and industry IT security compliance requirements make it difficult for IT managers to know where or how to begin the process. And finally there is the challenge of aligning IT security practices with other corporate priorities and requirements.

Regardless of the reason, it’s time for all financial and retail organizations to overcome these hurdles and delays, and dive head first into the process of revamping security practices across the board wherever needed. Given that hackers and cyber criminals will continue to develop new and more aggressive ways to bypass IT security defenses, retail and financial industries must make IT security the utmost corporate priority.

Embracing the PCI DSS Standard
One way enterprise organizations can improve their enterprise IT security is by ensuring that all systems and processes adhere to relevant government and industry regulations. One such regulation is the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS outlines the standards for merchants and financial data processors to secure cardholder data. By aligning Visa’s and MasterCard’s data protection programs, PCI DSS integrates the requirements, compliance criteria, and validation processes for industry-wide consumer data protection. Even without the mandatory compliance aspects, this makes it a useful network data security standard and framework that can actually make it easier for financial institutions and the retail industry and their IT security managers.

However, despite the recent publicity surrounding PCI DSS and retail security breaches, enterprise compliance with the mandate is still surprisingly low. This is partly because the requirements can be complex and lengthy, and can occupy an IT department’s valuable time by requiring an extensive review and modification to existing security programs.

In addition, PCI DSS defines a security framework that applies to all merchants and service providers who store, process or transmit cardholder data. This is clearly a large and diverse group, which makes things more complicated since merchants and service providers may very well be using a variety of computing platforms and operating systems, such as Windows, Unix/Linux and IBM mainframes.

The issue is that, while these platforms tend to operate securely in a vacuum, they are much more vulnerable to security breaches when networked with other platforms. Because each platform has a different approach pertaining to security issues, measures that work for one system do not necessarily work for all.

The Multi-Platform Reality
With the exponential growth in IP-based data communications in our 24x7 interconnected world, it is clear that simply complying with PCI DSS will not completely solve all the security problems IT managers will face. The reality is that it’s critical for every enterprise IT security approach to encompass multiple systems and platforms – from the mainframe to Windows PCs and beyond – since merchants and service providers are operating on various computing platforms.

Traditionally, the mainframe has been the keeper of the most vulnerable corporate data assets, and has had the strongest security. The foundation of the mainframe security approach is rigid control over user access. Only authorized personnel with the proper passwords could access data stored on the mainframe. In addition, mainframe systems were usually hard-wired to a handful of dedicated terminals where access could be strictly controlled, making it relatively easy to maintain.

For Unix/Linux systems, there is a very different focus when it comes to security. Not only do security measures aim to limit both physical and electronic access to their systems, they also strive to protect them from programs designed to access data and obtain root control of the machine. Therefore, combating programs or scripts, such as Trojan horses, root tool kits, sniffers, and keystroke loggers, is the primary focus.

Windows-based security, however, is a completely different concern. As the most widely used Internet-connected computing platform in the world, it is the number one target for hackers. As such, Windows security is primarily focused on preventing viruses, spam, spyware, and worms that can either destroy all the data on a Windows PC, or in the worse case, highjack one PC and use it to automatically transmit unwanted malware to hundreds, even thousands, of other computers.

Therefore, IT managers are required to think holistically when deploying security measures. This includes working with cross-functional engineering teams to devise a plan ensuring that computing and access systems used throughout the enterprise are secured – down to the last point-of-sales system, PC, server, mainframe, PDA and smart card.

The Path to Data Security and Compliance
So, how do retailers and financial organizations efficiently secure data transactions, streamline applications to work cohesively in multi-platform environments, and comply with PCI DSS regulations – all at the same time? 

The answer is not necessarily simple, but it can be approached by focusing on a few primary IT security practices that not only deliver more secure systems, but also streamline security management and lower overall IT costs:

• End-to-end data-in-transit security:  With the potential for customer credit card and related information to be transferred to and from dozens of points – the point-of-sale, back-end-systems, intra-store servers, credit card companies, banks, and more – the potential opportunities for data theft are significant. As such, credit card numbers and all financial data should be encrypted when transmitted across all wired or wireless public networks, including new mobile IP-connected devices. This is one of the primary requirements of the PCI DSS standard. While many organizations have dealt with encrypting and protecting data-at-rest, it is now clear that all organizations must encrypt and secure data-in-transit. The well publicized large data breaches at TJX and Hannaford Stores, for example, caused major financial and reputation impacts for them, their card processors, and related banks because of breaches of data-in-transit! .
  
• Robust authentication:  Authentication of both host and client machines, in addition to authenticating the user through ID, password or other means, will help enhance retail security. Not only will it prevent access from non-secure locations and make it more difficult for unauthorized users to take advantage of stolen IDs and passwords, it will also enable easier tracking if an unauthorized entry occurs.
  
• Standardized applications:  Legacy applications have been made more complex by embedding functions that can now be accomplished using standardized applications. This process will help users accustomed to using an application on one platform easily adapt to using applications on another. This approach also allows IT personnel to transfer knowledge and share best practices to the benefit of all platforms.
•  Enhanced logging capabilities:  Most systems and applications have extensive logging features, but for those that don’t, it is important to acquire adequate logging procedures or modify existing applications to ensure that data is correctly maintained and organized. It is essential to meticulously record information regarding who accessed data, as well as when it was accessed. In fact, PCI DSS requires that all access to network resources and cardholder data be continuously tracked and monitored. Be sure that data security solutions you implement include such management and logging capabilities.
• Automate, automate, automate:  Many of the mundane tasks such as provisioning, deploying updates and upgrades, auditing and policy maintenance can be extremely labor intensive. However, automation can relieve IT managers of the overwhelming burden that comes with trying to handle these tasks manually, and it allows them to identify security violations much faster. In addition, new technologies can help further increase efficiencies, such as security management solutions that allow administrators to centrally deploy and manage security configuration settings, and to automate system-wide distribution of security updates.

One security solution that helps organizations cost-effectively secure all corporate and customer financial data-in-transit is SSH Tectia, an enterprise end-to-end data communications solution developed by SSH Communications Security. This robust solution addresses the most critical information security needs of financial institutions, retailers and government agencies, including secure system administration, secure file transfers, secure data-in-transit, secure remote access, and secure application connectivity.

In addition, SSH Tectia provides centralized deployment, maintenance, monitoring, and auditing capabilities via SSH Tectia Manager. It also helps organizations comply with the emerging and existing regulatory requirements and legislations related to privacy, security, auditing, and risk management, including PCI DSS, Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley Act (SOX), and other regulations to protect critical consumer and corporate information.

Making PCI DSS and IT Security a Priority
As retailers and financial organizations are forced to adjust to the ever-changing times of increased credit/debit card transactions, extremely savvy hackers, and growing multi-platform computing environments, it may appear tedious and exhausting to keep up with new government regulations. However, the effort necessary to comply with PCI DSS requirements is more than worth it when compared to the alternatives.

Hefty litigation, loss of shareholder value, a damaged corporate reputation, and job losses are only a few of the outcomes from a data theft. Moving forward, the retail and financial industries must make it a priority to quickly comply with PCI DSS regulations. In fact, a comprehensive IT security approach for PCI DSS compliance, that secures all data at all times, regardless of where or when corporate IT systems are accessed, can be the foundation for meeting the data-in-transit encryption requirements for other regulations such as SOX, GLB, and HIPAA, as well.