Information security compliance requirements are often criticized for their check-box approach to security, and the Payment Card Industry Data Security Standard (PCI DSS) is no exception. However, the PCI Security Standards Council is gradually changing that. PCI DSS V3.0 reflects the need to make security a business process and establishes security as a shared responsibility amongst partners, both of which reflect the current state of security.
Data breaches like those experienced by Target and Jimmy John’s demonstrate the need for retailers to work more closely with their suppliers. Both companies were hacked and payment card data was compromised via login credentials stolen from their suppliers. It is important, therefore, that companies shore up their defenses and optimize compliance in both their own and their partners’ networks. For companies that struggle with the state of their own compliance – never mind that of their supply chain – this can sound like an insurmountable task.
Here are five steps that can help:
1 : Take a step back and understand what needs to be addressed.
While PCI DSS V.3.0 makes progress toward addressing the problem of security, the specification still heavily focuses on the entity. It describes the qualities of a compliant organization’s environment, not the actions that make payment card data secure. In order to truly protect card data across the supply chain, you need to understand the central problem and tackle it in a holistic way rather than as a series of boxes to be checked off. This means identifying and understanding the challenges entailed in securing payment card data.
2 : Understand data flows.
Securing data necessitates having visibility into the data across your own and suppliers’ networks. To that end, the PCI DSS v.3.0 specification states that organizations must maintain a ‘current diagram that shows all cardholder data flows across systems and networks.’ This extends to external partners as well.
Conducting automated scans to document where PCI data exists and determine if it is properly secured can provide useful insight. However, companies should do additional legwork to ensure that data flows correspond with reality. Survey users on their working habits, and ask suppliers to corroborate the inventory of in-scope systems.
3 : Reduce access points.
Once you have visibility into your cardholder data flow, you can concentrate on simplifying it. Your goal should be to reduce the number of potential access points. Use the mnemonic PEST to guide your efforts: Limit the persistence of cardholder data in memory, the points of entry to the payment environment, the storage of that data and its transport between different systems.
In terms of the supply chain, treat your external suppliers as you do internal users. Neither should be allowed to divert the documented flow of cardholder data. This means keeping data off of local storage, and requiring both to use the same distributed access system to minimize the environment’s entry points.
4 : Implement defense-in-depth with modern access controls
With each additional supplier, the risk of data breach increases. A failure-tolerant infrastructure can help reduce that risk by ensuring that no single failure can compromise the payment environment. If a hacker circumvents one security control, such as authentication, they should encounter another, such as encryption.
PCI DSS states that access to cardholder data should be limited to those employees and external contractors whose jobs require it. You can achieve an even higher level of security by using context to dynamically open and close access points to cardholder data. For example, a supplier might only be permitted to connect from a trusted machine at a certain time of day. Couple that with an additional layer of security around the data itself via encryption and classification to control how even authorized users can use and distribute the data. With these methods in place, stolen login credentials won’t always be enough ammunition for a Hacker to compromise sensitive data.
5 : Make security a business process – not a one-time effort
One of the more significant changes to PCI DSS v.3.0 is the recommendation to make compliance part of your business-as-usual (BAU) activities. There are two ways you can achieve this: burden employees and suppliers with additional day-to-day obligations, or identify outdated systems and working practices and replace them with alternatives that are compliant from day one.
Following all of the previous steps will help you make compliance BAU. The more streamlined the organization’s data flow, the easier it is to audit. The more contextual and granular your security systems, the harder it is for unauthorized users to access data and misuse it, which in turn leads to PCI DSS compliance.
Fundamentally, optimizing compliance across the supply chain is about solving the problem of securing payment card data in the most simple and holistic way possible. Sometimes this will mean optimizing the organization around the process. At the end of the day though, your organization won’t just be PCI DSS compliant. Your data will be truly protected.
Cryptzone secures the enterprise with dynamic, identity-driven security solutions that protect critical services, applications and content from internal and external threats. For over a decade, enterprises have turned to Cryptzone to galvanize their Cloud and network security with responsive protection and access intelligence. More than 750 public sector and enterprise customers, including some of the leading names in technology, manufacturing and consumer products trust Cryptzone to keep their data and applications secure. For more information go to www.cryptzone.com or follow us @Cryptzone
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.