PCI Compliance with BWise
Cyber-crime is increasing. Opportunities exist to actually make a lot of money in credit card fraud. Who used to be foolish hackers boasting their hacking skills, have now grouped together or are recruited by organized crime. According to consumers, data breaches at third parties such as retailers are the number one source of credit card fraud (according to Gartner, May 2008). There is a serious threat and the PCI DSS is a good standard to adhere to. To start protecting our data!
The PCI Standard addresses the whole 'eco-system' of retail payments from retail payments devices, applications, card processing infrastructure and any organization that executes related operations. To do this, it contains three related components:
- PCI Data Security Standard: Security Controls and Processes for protecting cardholder data;
- Payment Application Data Security Standard: Standard for software developers that sell commercial applications for accepting and processing payment cards;
- PIN Entry Device Security Requirements: For manufacturers of payment card devices used at point of sale.
- Goal: Build and maintain a secure network
- Requirement: Install and maintain a firewall configuration to protect cardholder data.
Some of these requirements are high-level and others are more concrete. Next to these requirements set out by the PCI organization (the 'manager' of the PCI DSS), the major card brands have also incorporated PCI DSS requirements into technical requirements for compliance. These can differ by card brand and financial institution and their processes of verifying compliance can also be different. If you need to adhere to the PCI DSS it makes sense to document an elaborate program that describes how the goals are covered, by what processes, controls and how this all maps to the technical requirements from different card brands.
One of the goals set out in the PCI DSS states: 'Regularly monitor and test networks' and this describes two requirements: Track and monitor all access to network resources and cardholder data; and regularly test security systems and processes. There are some very specific tools in the market to help you to do exactly this. These are advanced systems of which we do not pretend to have the knowledge or expertise on how to maintain it. It does however make sense for us to 'interface' with systems that can do so and inter-relate the results from those applications to an 'asset' list in BWise that is directly tied back to the Programs and it's goals for continuous monitoring.
Security assessments can be done only by Qualified Security Assessors or Approved Scanning Vendors, each only tackling a part of the requirements. Their approach is similar to an audit (whether supported by tools or not) which can also rely on internal processes, walk troughs and existing documentation.
Some of the card brands allow the merchant to support their compliance by performing self-assessments by completing questionnaires, a technique very similar and often used in other areas of compliance.
Technology or processes
As with most compliance and regulation, the PCI DSS relies on both technologies (virus scanners need to be deployed to all systems) and processes (Ensure that all anti-virus mechanisms are current, actively running, etc.).
The BWise GRC Suite is perfectly capable of integrating different systems and correlates them to one Program for PCI compliance. It allows easy monitoring, central reporting, and integration with other compliance programs running in your organization.