Social Network For CISO (Chief Information Security Officers)
This Article was shared by Nachiket Sathaye, Information Security Consultant, Ultradefence Solutions
“We are PCI Compliant, now we are secured”- While assisting customers with their PCI DSS Compliance, I always come across teams making this statement. This is a very common myth amongst PCI DSS customers. Do you really think that you will not face any security threats once you are PCI compliant - Absolutely not!
When PCI Scope is defined, a small piece of infrastructure dealing with card holder data and related processes is considered. Stakeholders and owners participating in PCI Assessment work throughout the assessment cycle performing various tasks and maintaining records / evidences; sometime actively or sometime forcefully. Most of the time PCI DSS is considered as a project by Compliance and / or IT Infrastructure teams rather than Business requirement. Other teams are always busy with their tasks and not willing to actively participate in PCI programs as it is not on their priority list. This may lead to ignorance towards security standards and processes making them weakest link in the chain.
There are lot of technologies and processes involved in any Payment businesses – Business Applications, Network and Compute systems, processes etc. Vulnerabilities and other NCs which makes this payment ecosystem more complex. Teams struggle to remediate the issues but they face challenges in terms of compatibility issues, application and business process level dependencies, no downtime approvals, fund shortage for technology upgrade etc. which further delays the compliance cycle. PCI Compliance is a snapshot of time. Evidences / records maintained for assessment cycle are validated along with periodic security tests performed throughout the assessment cycle. However, attackers and threats are nowadays getting very sophisticated. Instead of leaking out the data immediately, they harvest the information, wait for the perfect time for actual breach. That’s why Customers must assess and remediate the issues in CDE environment at regular intervals.
Many times, PCI Customers outsource the tasks to 3rd party vendors or merchants. Although outsourcing simplifies customer’s business and it is cost effective, it creates another security challenge. Understanding and implementing PCI DSS Standards is a challenge for small vendor without skilled security resources or IT Teams with good knowledge of security standards. Past Data breaches in the Payment industry has revealed that many times the breach happened via 3rd party / outsourced unit as it was a part of customers trusted network but with less security controls at their end thus making them easy target.
PCI Standards also talks about security and penetration testing from non CDE environment but how many customers do really focus of this part and related processes to maintain the similar security standards to it? I would say, very few customers. Most of the time, non CDE Environment is ignored due to lack of time, workload with existing resources, commercial issues etc. which leads to a breach via non card data environment.
Security awareness amongst employees is also big challenge. IT Teams, Business Application owners, management people might be aware of security threat but not the general user. Common Users (or sometimes experienced guys, CxO guys also) becomes victim of security attacks due to lack of security
awareness which in might led to huge security breach in future.
PCI DSS standards (or any other security framework) is just a benchmark and snapshot of particular period. It should be part of your IT Security strategy of businesses to protect sensitive data and continuity of operations but at the same time they need to look beyond the Compliance standards, continuously assess the environment for all kind of security threats, create and assess organization wide security awareness, give equal importance to entire infrastructure and outsourced vendors as well.
Instead of following / targeting the compliance frameworks points just to handle the mandates , one should follow short term / long term security strategies to strengthen their environment and business processes, regular audits / tests to check the effectiveness which will automatically help them to achieve the compliance certification without much issues.
Want To Be A 'Knowledge Donor' too? Click here to write an article