It has long
been rumored that manufacturers of items such as razors and batteries
specifically produce their products an inferior level in order to ensure repeat
business. A similar paradox is occurring in the
information security space where many are complaining that the
PCI Data Security Standard (PCI DSS) is too complex and costly. What is most troubling is that such opinions
are being written in periodicals and by people that should know better.
PCI came to
life when Visa, MasterCard, American Express, Diner's Club, Discover, and JCB
collaborated to create a new set of standards to deal with credit card
fraud. PCI requires that all merchants
and service providers that handle, transmit, store or process information
concerning any of these cards, or related card data, be required to be
compliant with the PCI DSS. If they are
not compliant, they can face monetary penalties and/or have their card
processing privileges terminated by the credit card issuers.
The primary
purpose of PCI is to force organizations to embrace common security controls to
protect credit card data and reduce fraud and theft. The following are the six primary control
areas and 12 specific requirements of the PCI DSS:
Build and maintain a secure network
1. Install
and maintain firewall configurations
2. Do not
use vendor-supplied or default passwords
Protect cardholder data
3. Protect
stored data
4. Encrypt
transmissions of cardholder data across public networks
Maintain a vulnerability management
program
5. Use and
regularly update anti-virus software
6. Develop
and maintain secure systems and applications
Implement Strong Access Control
Measures
7. Restrict
access to need-to-know
8. Assign
unique IDs to each person with computer access
9. Restrict
physical access to cardholder data
Regularly monitor and test networks
10. Monitor
and track all access to network resources and cardholder data
11.
Regularly test security systems and processes
Maintain an information security
policy
12. Maintain
a policy that addresses information security
A quick
review of these 12 items shows that PCI is a textbook example of the
fundamentals of information security. With that,
PCI Compliance: Understand and Implement Effective PCI Data Security
Standard Compliance is an excellent resource that provides the reader with
all of the fundamental information needed to understand and implement PCI DSS.
The books 13
chapters provide the reader with a comprehensive overview of all of the details
and requirements of PCI. The first three
chapters provide an overview of the basics about PCI and the basic requirements
of the standard. The following six
chapters go into detail about each of the primary control areas.
In
particular, chapter 6 provides a good overview of the PCI logging
requirements. This requirement can be
time-consuming to put into place. The
author notes that a commonly overlooked but essential requirement, namely that
of accurate and synchronized time on network devices. Enterprise information network and security
infrastructure devices are highly dependent on synchronized time and PCI
recognizes that correct time is critical for transactions across a network.
In a further
discussion about synchronized time in chapter 9, the author unfortunately makes
an error when he states that local hardware is considered a stratum 1 time
source since it gets its time from its own CMOS. From an NTP perspective, only a device that
is directly linked to a stratum-0 device is called a stratum-1. CMOS clocks are notoriously inaccurate and
can't be relied upon.
The title of
chapter 12 is both amusing and accurate 'Planning to fail your first
Audit'. The irony is that so many
organizations lack a CISO or formal business security program in place designed
to protect corporate information assets.
They don't focus on information security as a process, rather as a set
of products or regulatory items to be checked-off. Yet, these same organizations are surprised
when they fail an audit.
The book
concludes in chapter 13 with the well-known observation that security is a
process, not an event. The book astutely
notes that it is impossible to be PCI compliant without approaching security as
a process. Trying to achieve compliance
without integrating the various aspects in an integrated fashion is bound to
fail.
Overall,
PCI Compliance: Understand and Implement
Effective PCI Data Security Standard Compliance is a great book for one of
the most sensible security standards ever.
Anyone who has PCI responsibilities or wants to gain a quick
understanding of the PCI DSS requirements will find the book to be quite
valuable.
Ben Rothke
is a security consultant with
BT INS and the author of
Computer Security: 20 Things Every
Employee Should Know
"