Compliance is hard enough to obtain – much less maintain day in and day out.
Payment Card Industry, or PCI, compliance is no laughing matter. It involves personal data, including credit, finance and demographic information.
With more and more breaches occurring and the increased losses of personal information, PCI compliance should be a top priority. The latest statistics show that 71% of data breaches target small businesses and 60% of small businesses close within six months of experiencing a data breach.
The Payment Card Industry Data Security Standard (PCI DSS) standards for compliance were designed to decrease the risk of payment card fraud online while also protecting the credit information of its users.
According to the PCI DSS, the compliance standards are assessed by a “level” and a scale from 1 to 4:
Level 1 - Merchants with over 6 million credit transactions a year
Level 2 - Merchants with 1 to 6 million credit transactions a year
Level 3 - Merchants with 20,000 to 1 million credit transactions a year
Level 4 - Merchants with under 20,000 credit transactions a year
*note – Branded companies like Visa, Mastercard, Amex, Discover, etc. set their own compliance levels
Level 1 merchants are required to submit to:
Annual onsite security audits under a qualified security assessor company
An internal audit if signed by an officer of the company which has been pre-approved
A quarterly network security scan record and review
Level 2, 3 and 4 merchants are required to submit to:
An annual Self-Assessment Questionnaire
A quarterly security scan and review by an Approved Scanning Vendor (ASV).
PCI DSS Version 3.1 was released April 15, 2015 and requires that all vendors and merchants upgrade to the newest Transport Layer Security (TLS) protocol no later than June 2016. Prior to this date, existing implementations that use Secure Sockets Layer (SSL) and/or early TLS must have a formal risk mitigation and migration plan in place.
Guidance on interim risk mitigation approaches, migration recommendations and alternative options for strong cryptographic protocols are outlined in the PCI SSC Information Supplement.
In PCI DSS levels, a security review is required with a full view of data for self-assessment and security evaluation.
The basic requirements for data safety include having a(n):
Firewall
Password upgrade policy
Policy for protection of card data
TLS encryption for any transfer
System of protection against malware attacks through secure systems, monitoring and access procedures
Access control system and records of access in and outside of network
“Need to know policy” of access authentication
Tracking and monitoring process of all access to data and data storage
Regular testing schedule of all above security requirements
Strict policy for protection of data, access and transfer
All of these security measures, which are required, need full access to a network’s data to function properly. This means that to provide the best security, an independent visual data plane delivered through a third party needs to be in place, such as passive network TAPs.
Seasoned network security managers often have at least 2 TAPs: one out-of-band, on the outside of their defense perimeter and another one inband, inside their security perimeter allowing them to see every bit and byte of data.
The the out-of-band TAP will monitor the different types of attack vectors so that they can prepare a remedy for a weakness in their outside security perimeter. The in-band TAP can witness and record any inside breach that so that remediation and reporting can take place rapidly.
Today’s networks need a safe visualization plane so that they can recognize attacks or aberrant behavior as soon as possible to stop data record losses and help organizations avoid the high fines being levied against companies that do not protect their customers’ sensitive personal data.
Data leaks can result in lawsuits and hefty fines for large firms and close down smaller businesses. Even worse, these costs multiply when the company that was attacked cannot produce a full record of lost data. The rule is generally that if a company cannot prove how many records were leaked, the ruling bodies must assume that all records in the system were compromised – this drives the fines up considerably.
I've written before that breaches are not a question of “if,” but rather a question of “when”. A good security team with a strong visibility plane will be able to save their company from deep fines while protecting their customers’ sensitive data.
The cost of a network visibility plane is significantly less than the fines and non-monetary costs a firm could experience – just think of the business lost by retailers like Target, Home Depot and more.
Network visibility is the first step into protecting your network data. A TAP is the perfect tool for building out a foundation of network access since it cannot be hacked and gives a real time view of every packet. With all of your data at your disposal, recognition of a violated security policy, malware attack or a breach should take no more than minutes.
Get the latest tipsheet from Tim O'Neill, "Top 10 Security Tips," and protect your home and business networks: