|
|
|
PCI Compliance Only the Start of Security
By: Brian Prince
2009-07-30
Article Rating: / 6
There are 6 user comments on this Network Security & Hardware story.
Reports that companies involved in some of the latest data breaches were PCI-compliant continues to spark discussion of whether PCI is a solid measuring stick for overall security. Industry observers say yes, but businesses need to change their check-list approach.When the Network Solutions
breach was reported last week, the usual buzz about whether or not the company
was PCI-compliant began almost immediately.
Similar talk surrounded
the situations with Heartland
Payment Systems, Hannaford Bros. and just about every other data breach
that has happened since the Payment Card Industry Data Security Standard (PCI
DSS) was first established. But the
question then becomes whether PCI is truly
a useful security metric if so many breached businesses seem
to be compliant.
According to security
observers, the answer is yes. The problem is the mindset many businesses
have.
The worst part of passing
a PCI audit is that it creates a false sense within upper management that your
systems are fully protected, said Phil Neray, vice president of security
strategy at Guardium. Management needs to understand that security and
compliance are continuous, ongoing processes, not one-time check-off events,
and they need to prioritize the people and budgets to make this happen.
PCI compliance, he
continued, provides a set of guidelines and a starting point for security and
application teams. But it doesnt replace a detailed analysis of insider and
outsider threats in an organization, or rigorous attention to processes for
closing security holes, he added.
PCI compliance is, after
all, just a snap shot in time. Organizations compliant at the time of an audit
can theoretically be knocked out of compliance before the next one by a single
control change.
Security is a 24/7,
365-day-a-year thing, said Bob Russo, general manager of the PCI Security Standards
Council.
After the Heartland
breach, which is widely considered to be the largest criminal breach of card
data ever, the company began pushing for an industrywide adoption of end-to-end
encryption. It was too late to avoid the breach they experienced, but not too
late to help avoid one in the future.
Any business foolish
enough to simply make compliance their only security goal has made a serious,
and sometimes fatal, mistake, opined Michael Maloof,
CTO of TriGeo Network Security.
Companies have embraced the intent of the regulations and have accepted the
responsibility to secure their networks, train their employees and maintain a
state of vigilance to ensure their systems remain secure. Other companies see
PCI as yet another tax on their businesses and do everything they can to pay as
little as possiblethat is, until they are forced to pay for the
consequences.
Those consequences can be
costly. Earlier this year, a survey performed by the Ponemon Institute found
that the average
cost of a data breachfrom detection to notification and responseincreased
to $202 per record in 2008 from $197 a year earlier. Then there is the cost of
lost business and a damaged reputation.
I think what happened in
the case of some of these breaches ... that should be onus enough to make you
think about what you need to do to become secure, Russo said. These are
disruptive, to say the very least, to your business. Your reputation suffers,
not to mention the fact that there are fines that are handed down by the [payment
card] brands, but again the fines are the least of it.
The way to not have to go
through this is to comply with the standard, he added.
Beyond the requirements
themselves, the PCI council has reached out to retailers to improve security.
For example, the council has opened up the training it provides to assessors to
security pros working for retailers so they are trained the
same way the PCI auditors are.
Most organizations seem
to have a checkbox attitude toward PCI and want to use PCI as an excuse if
anything bad happens. There seems to be significant misunderstanding between
the concepts of compliance, validation and security, Forrester Research
analyst John Kindervag said. Compliance incentivizes security. PCI exists
because companies who took credit cards didn't have adequate basic security,
and now it is being forced upon them.
 |
|
|
�������x}r6*(gL푦dK�kǶfI*�EB�c䒔/ٗl8x��-~;& �4�F�;;~$rLȹkmJvg9�[�D;;}.G|gQP�/�2r}R �
�{iFmMFNHB��~m@~s?³J,Ad-FF5��%SjMaCkf��FcWf�2ʼn5m2�f
�E1;G��I�_M�M���J���D�ERz�GEQݓ-Dm:]'�7*ޣ,#7�ݙ8�/�d
Jӭ8�4�[h��=k~�|�E-x:Q+M+lဌl�ڮ�Y�'�[zR�Q(0B.Ą��u"7J;qz�%Mi�FfQ%p'z:rm3C�"����k>�NZ]@Z�3ˆ辥{$�)5�= \o4"�1lp2�rH
n>�,uQ�yiMV�cF8C�YnU~=
:ҍ�}4�&j&9b�M �S
��P2zhN-2Q�Ȳn�Mw�3a[Mѡl7ZkuE9,}�Ewcwm9{�2+�\TUMSE@B��q7�ٺs��m%y]J>�y�Es߈ecby�1�=T�r�Jw3Fz����'KEw''+|�wH
_ܹOlDM��W6w0+NXmUV�6O|�3R?�*�:aZ+}I-Gb;�|i�.?�uIAұ,�m��2u'PZ,w.
fR'JGX*��R*Y4C��! ,�2Ɍc�P5��4:��];ȼ9AcE#}^7iJu�V�!aFC`qcn6
@̀ki��F5
(,e��g05@�N)��U1r�V��vf��M)i�K3_^*_��1jNTwEQ��c'{D]-7kDm,-ɺ�35-wj�;]g<�:mҿ]{t[�:0,55F㤾F#<2h:m8�5�"�
47P}Hw@zqI�$o qx�魫�mE)H_�¤�|��
FA��=H:}n��~�5A%'�@ ��-�u'08w�ɭ�5��EP�ͻ#i�y1�&=��զA�{�Tfg,z�e}
�
�l�߽5�#.ꖭ,�T<�ħܠ{ԁ.v9.Wb���A/�t[4}JIILh"D& �
��T�A�G�EBFN�l�bo(H�XZph�T6ݞ�H:s'PT+esR裲XB�^�X/E/)�͙R2dV0U �hn&i��&LH:�5$!.a*ql��0�Azn4�DŽw
ڷ�}Ft!_*'ϐUqё,ugA亢#Ïn
OQ��
�gQ�#h#�R
�`Q:ܴۦ
�7wA-~ÿrQc2�F�i@���q4�\_Z��S��
�o44=̌�iJm^R=�<#(8K^3�b�RT�hƱ;4bG gI4R����Ƕ;7�e \Yq6�ƹ|yk��V���63\I59J�n�Q�VIu�dDfRJg�¥�Fѳ�u�euu�i]\�}v:Lk?x��Jm�=M#X�=�,]Ǥ|U�4-40� S۠z�ml��ĝ�kF@��;3t}
&�L"LAzQ�Yt\Ʈ��+mلy�eE]^|rF[!6Q �kq�0n�"حwDN[AOq�Vӿ�m�+07k\JEVKq�EZ%)�c�^.g�}]~o̼QX�CG�PUeH4yģT3%�y
$:-.wEZЊV�i&lDM#2��OR�(KY�,a�Z�_8�aqVZ��UR �U!WT�^>y�_7)>Fv�!?ɕV: !�I8@{fY*L.?uTjjEI�z,`wE]�nbɨc2M�Jpf�X$${�\��\csI��dЍo(Q멖~ CmZ� +a/r�dw!]:�� �G<�cX܂��t;aֺ�XLh;�CX
viS4c�Z�S=Cnƍj}U9MKZ^$P ۗ0"0�%q{2L=}m_1_q�b`��<"�I;�p{P7@|} �o>eM+t׀mkZpWL(2M#k�(F!)Wje�>ene�O*+�lWJ_�0P���X;�HHP+�Y�oa
m�Ԅ2xpL��*�S�79A!]SD#+#I ��xݯ*$�ӄC7w"[Te��3w111u?|{~iwo�Z}Օݷ����$�/I4�\S"��P;;/nLя0:O6i�O(JQw��ړ@:iwϾ�1��=~l=Н :~w���&Cr~8�G{sr Ou,�mE^;?�!�WO�m{Q^��9@�� �K RCbv}WszZ^�銗auN���嵀���sн�/v�zW4!9^tt�xޥ(`F!A;:~8`q>*��Ӻ�=m48�L6M�st{�kd�ҝa�+vH[!�Rr_zW�'��^p�t�m�n
�qdQ5õh�Lٞ;+
ٿ�
Bb-.�3w1ߐLVC (ʡ�-`����`�VɈvy�J�αg@�@@fp�+Z!NU��W"2�EH%�i�A&;ǽ�'
<��9�xDwD^r��~#<�B<�Mp<&��m{pgJqkv3�~<)}C/g�9˝}H�u(9��=$E��٪z;W@�dj&ubJT5��z-ŧ
[O|NBB�A�J9[A:䂲q;Ik�v綡�[&�̘!pA32%I��b 5m$Mj3f�k��C@$_QIv(+H7dA�r�SÚ�mfy�t?l]7�"9=/7[
.V�lG�_8_`�t[gD HY�)o-y�b}YGJ^KKhVˮuVǜx"�
R̄!�C��x��9 EuX.eTk��+tt��Y؍NjFڰqE�2Udp�sX6
}a���`�,Fs�
x32T?.�!ziВ116onP;-Ӈ�4zݷ%(�K~˸a�W*]c{�2{�7w�w.KT#EkF��7_SY+�TOWg"�&I�%�=ڬ-ۥ{kiXdbSQ�Oٞo
1_�O}�rcCG�]MA
���U�h
C�l�{�g
ЇG �|�*y�x�\]]s71&pRx666�y��) hTRV`/�{ia3��⫆�~�@z'�FiOX��W+O2OWc#ޚU>�9dP���)�>��;
]N6_�pR}
�u�R�:3�hC}O�88�ɒ�8LҚ07d@8niZ枸>�.qD.��H�7ns"/;:���Lɻ�̣ PU�ET�h 72?'�%1V�GT�0��I(z$W�շ@
>הzJ>,ֈ7_�N| &�[4-�gS
C {�(v-9J[�ԆxukNj'CY@[Nc�m5#Ʉ�v0�QzY�[�?ǭ�i`y4v}�a)J�n95e^Udb|ņi��u� L�PopIL�B�BF{(MM?�+1oY/�]塼|4IU%um^�eiOdC�Qwn3��U`#�+~))'@�g�4/1Fp)0��F~u4N]�>�>�D2$x^^�Y�?P�jD�es4`n �wF%U �X;�(A$RWKdbT ����UBpq%_|>"=�5ͧܞPҦZ~:5�n�Co09!T�ȃ37�
<�p���7|4�,� �
YE� -jkQ3�8g䭈.)7%KM)DL�{�V0vGV+vx�]R8��ԗtsfX��$�L8`4H��f����U_
G.,4W~+I�oJWQ0e�/J:݀4[@{sPoqS1҆+�M�t)�3&1T=
K�SJm+�˒`,�ֶmM(tFnlW`*P�Ri#׳%�(1�O�xb�$�Ϙ�#_�5�"d=�)ͧR>�W^G,kgL-βD�5,,,,�Zןo�OK�³kN�2!~-Z��V�ݢ $Zic0h#�x<^.�|��W�%�"A$H�"a�I�1Y�n�ΦjUЕԓ1|F
iL��y]A
I�>048�듇|ʊ�s(O_��=���ԲA�gݐ�J/n�o�SRIC �uy��aE⡙�/�B�.7 �D@S�R!"3Pˋiv3�lHgע3!�V�?�6ɘ��@v�fP�(t1�VPe
�-�+JY1^8aejSj�s[��
�Ab*H15.? 9ͧݐЪ/�XYut7yb6{�zA\Qz$<*� ��$͓�u.6�ɰ^jp?`l�݁
H~Q�,:/KyY궥CL[ķ�b�n�=ʓ����ظ͍m~6nrooooomjM}m
珔zȰ<>)[>��ܷA�DǛ�<)) �lo�Y?�w�@�V�ҧ�mgq#@#.UTIp�(#]m'
5^m�� |ҋΫ!�'B��i�ae|�0o4,��Fab^�s#�n.�l# eӥkD%w,�뉮��DځE'���@�)륐�N77\�$�t|���$͋�^kyr�>5&p?UQeOݹm��~4θӋZ,L�CA$V
��
4y]gF'3{`S0ZC_�M&:w��͝o.ʬ�i;JsyտɈ�ЭU
S 0�±+lxa٫Xȝd97 \O? Kj�Ғ�2:Ar_Wse`$�R�n
Ӽ=!�DkyPgU�
Nm
ey<7�IZx�ڦ�C�0I%�.�뀿چٱ�և!xR��uσ�dYسOg-]
6/Ec9Z~�wѴۀM%�-W?�!,�DC�X5bMl4tF86f��3ƚi<�m~}o�W'UR �G�= ��,��Iv�|wouv1�vSpn]|@R�ł^]FB;ƑƦUmK�<�h-^N�ܓ]َatPx��-r9�
Dw߁\<9C�Y"�=��
IDU�glo"GxqsR OchT�"|Qao){Z}O�lnN�|V
R<9fE;�Y�
�>`!��<{>�+BMwUQߒN��:a��( �̰6$o�,S`[,@6EWf`a�3(�`n2u(y+1u5{GQd߿߉o!?X3C �߉~I8OXw�dR(�xC�8�j
}�-{�Vqş�KڨZ�/G��^b,.]L5,X���È>z2C[
sяTmS_-C75s�*K�(aV�RcW�F�=�%x�ٽ` ,Q+[Ew�$C�?:ȩ-kV��FX*�4b֪��Z�"�'"�KI�H
]Q<�R�?���X2{��n��/˛i~p\K]xFu.93�͒Eˉ]tM�Sc95�W)jvAr)XhZR,iw%�dox7Bք0x*B 'Yٜ�AGurM�DR!U�o~8*\� VM}^ULx"y��?L��3=uzXUĮt{�̴u5-tY<5�WSYzܽ9j<1xfYj*sa8ufq>6Ԙr|E
8e�R
c�z�qV6c�d�Z�l3L´C A*d�8I�Vuק6��̽KMDF0�K*;JJEV^d�3p~5'5*>5BYQ�ז�!`�r3�~nM� K�L�I':�gy畊V.իwt~ -Fp��}X2�0@�F�X>PP)%(7�7��s � �<�z1߾Zכ�|{X�Z�8ɀ q�^@At��� +^Q�$� !
xfs'>iԦ3�F;Q뮒tڤJWs>e��3B[wyW�'\\sj\��aeI�O\+�66mEUk)7�g%ۅ]`avF��̳x
3�}�dc{x%�1o̾G
Kig~RۈuXb_ CϪI&�Q{V�6��'�T��u5W1�7�ZvN[#{㱅߲_1c 蝂D��U<�1�1t#PjN�TLO0Y|XC3.[ov/?VHzՕݷoh}�extJ¯�r�C3,zMC%p� 7dKB`(xs��MI٫Tvj�чǻ/�t�X0+b#-#k�V�|$�{34m�#0��3�'Fΐq�nX�[+$ʼO��o-�>d?-bWld�b$@��X�
�_�ٹt>"=gs?��>ZxX�2b�9k�`0�#��a�2
�H������d��0W�d��5�� [z>˘x���!�G\nX|J7�o8fkH0bCB9Ҍ�oFE_WyE�>p4�*pejٓUtKľL�2�@�s�8���? W>nrS-i`Ikxm�!�h�B\!;#HJ
1�10\�a9=g3bv`�E�2�f#{K?,PxG,�[{GǙ9fSZ,��c\,1Gd)u6�(`�E�$�7�@��4G4(lϏpm2�ꧦ\I0^�^81�S�40
uA@"\2�揣ϼðq7]��@fV*pRt=��:]stԨ)ʞ�*<�{0u9E s!aR;:cQƨ!IJ�q�XZ~DB(�s��FlH;�ouu7@F��à��!q���3&+z+uT/J]WP)9C�KTU�MÀ� YUV&"_�Ҕ\
BI]�t/ (HZ�
�W{PȾe{$A%�Ոu0՝!hf�9]�9tHQ{9.Qw�m�Z϶Gݪ9G嗓E{1(4O,�fbv>Tu+L�xe$AN.Z�)�L3\H�E�,�^;K7E�3@eqq�^
��I�t�g`Jd�-!j�bձ2MW?�z
[Up�/xu3�_,�fy�P�M��-ǵ��o�j�5}0.8���)ns9�EЌTj^*U^m�99@/9W~>�IAz/'�)}>
8hwrҏ!x} $�?��r�Z~-4OӻBIusڇEN:Bc?'�Y~�rl<�syN�y�|y�~�?99�<>ρ>s�y"�!sN)
~�90�9{�s?�0~�9׃r�ˑ?=/�r qC�P2�U���97�^ S�}}yп9�kHK�Ρk:k�Ku3�Az+Zpz~=29I�G9R+_�~K%IN>ȳ�9�+f/^sTh=U_?߫/I\H�{yk�BR+�+]q%3-{[˚�r}ח:
e|*�,XW&�x�����)htVYdSrl�byDe?~VRR枌u�]�CZL�j. {]�We[M'n)^t�kz(s3g�qo{dZ�+m�E�t��"Xr�51o>eAb�AZK[<���8
gv�,�d{z��U4s�n
]��x{��%>��
CG0V�>�}V�.nm;yx=�]�;\�;Yo�[췡\F<(Naf>ţu.dVl<-4&\eAj(/�@F�A�|r�F�F>V֪p3��lc}���=su:�^>tGg>kؓ?
=ga#f^*��B8D�Cw_a�%ɡ1zI�a㮨-gb|\_
NW+u7\(h
;�ם�CöЁA
|$U˚VVk[*j�
�f{Dx�ç�*R'Ӏ�e`_)�&�K� �|#
P .=M^ed FMȡ�!,�pA�FJ5�Gh P�> �}:��c6D\}��cAVW��/��~*^�6�:i��(G<8)�蛹�e|��|;ˈW|Rb �/�r
9
��ܛ]{Tl!&ή�w�uɧ`�٨;�Xiǭa&r�2oAA?�h �-*x�Q\~�_!�?g��bb |^:j&�3!�Uť{�Txx e*E�ꎃ�f�uQ0Z�?qõ�d<@T:߱�9B��D`�|![PCRhfNY{?w/�bCآt�+nB3X|�np��No
��6`�}�n'-~X
v;n\�#+.0��y�î�SYD
v�{lRg
AL
dc㧍A�ԝ��T%1Zcט�n`�ðP=LV"fG�=-a��b�
-^��?}s6g�x6�20t�gG�|ם�ۈZο�ufp/��R�_^���ێ�6m��X3&?eITǓ�]EN�$
6
n@���:/�F{@�{
S`��>x($�"�"HH�"s�{B�|%Z�sJ�dBZȽ��M !�g��L)}+ʑQ¢�m5�d�ԦuP#v/Iߵ�9Uum
[��E/=�G"��c
-#1HXY�Ma{-��f*Y{̅πj��H�ѝE
Network Security & Hardware 
