Have you heard this claim before?
Working on just PCI compliance is not enough!
What about the 109 pages of compliance checks in V3.1 of the PCI DSS Standards(Payment Card Industry – Data Security Standard)¹ document is lacking in Cybersecurity?
There are 12 sections in the document:
- Firewall installation and configuration, roles of network admins, paperwork and change managment procedures
- Change vendor-supplied default passwords including wireless devices, use good configuration standards for your computer systems, maintain inventory lists, including on shared hosting cloud companies.
- Protect cardholder data – here is where the standard sets encryption standards for when cardholder data is used in the system (cardholder data should not be stored as it is very difficult to keep safe)
- Encrypt transmission of cardholder data across open or public networks – the cardholder data must be encrypted properly when going across public Internet. (this is a complex topic)
- Protect all systems against malware by using anti-virus programs and procedures to update and protect must be in order.
- Develop and maintain secure systems and application – If developing software to accept credit cards there needs to be an effort to make sure it is developed without future hacks
- Define access to components that access cardholder data -setup roles and access controls
- Identify and authenticate access to system components – for employees set up a process for user IDs so that a transaction can be attributed to the right person – set up good user group structure based upon roles in the company. I.e. only database administrators should have access to directly access the database
- restrict Physical access to cardholder data – make sure only employees that are supposed to access Credit card systems do access.
- Track and monitor all access to network resources and cardholder data
- Regularly test security and systems processes
- Maintain a security policy so that all personnel will see, review and update
The PCI compliance document is understandably focused on Credit Card data. So it does not say what should be done with Employee SS# data or customer data. But if you infer and treat any potentially damaging data as credit card data then you would definitely have a template of how to perform Cybersecurity for more than just credit card data.
The PCI Compliance Standards cannot be all encompassing with regard to all types of companies. All types of ways data can be stored or used (not with regard to Credit Card numbers).
But as a beginning template you can do worse.
All 12 points only use what we know about some basics of Cybersecurity.
change default passwords, set up some kind of Anti-virus software and keep up on your patching of your computers.
Be vigilant on your network defense with a firewall and use good practices as in deny all traffic while only allowing the traffic that is needed.
This last part is actually very difficult to achieve well.
If one does the following:
- DENY all network traffic
- Allow web out,(both encrypted and not)
- Allow email out and into the mailserver only
- DENY all network traffic (for good measure add it again)
This basic Access Control List(ACL) causes all kinds of problems even though it will deny many hacking attempts and malware software from operating in your network.
The problem is that as soon as you install a new program on your computer and it is using a different port than email and web ports this new port has to be allowed in the ACL.
How many times do people in your company install new programs? Some of them are good and some are not. But none of them will work unless you allow it in ACL.
Ok, let’s go beyond the ACL and the basic purpose of the Compliance standard.
Is just PCI compliance enough?
No, because a lot of PCI compliance tasks are to be done in a quarterly frequency. Obviously a lot can happen in 91 days
Here is the problem – as many people have stated (including VISA) the general PCI population does not do a good job being in compliance. The basics are not done well, so how can we expect them to go above and beyond compliance?
We can help you make PCI compliance happen and then go beyond .
Here is a previous image that discusses the concept of The IT Security Framework such as in COBIT or ISO27001
