In recent years we’ve witnessed the extraordinary lengths to which cyber criminals will go to breach target networks and steal valuable data for monetary or competitive gain. This phenomenon is particularly apparent in the world of electronic commerce, where account details of credit card users are sold for a premium on the black market.

Fortunately, the principal stakeholders in the card payment ecosystem have defined a standard that has proven to be highly effective (albeit not infallible) at protecting data from such breaches. Over the past five years, the PCI-DSS framework has evolved from being mere guidelines without enforceable sanctions to a ‘must-have’ certification that you are required to obtain if you are involved in manipulating, storing or transmitting cardholder data.

Despite its seemingly narrow focus on cardholder data protection, PCI-DSS spans most IT disciplines and skills. This includes networks, databases, web applications, file systems and encryption along with core security-related processes such as vulnerability and configuration management. As a result, the cost of implementing compliance has become alarmingly high, bringing into question the applicability of the standard in terms of risks versus reward.

Earlier this year, the Ponemon Institute conducted a study on the actual costs of compliance among 160 enterprises, including 46 international ones. The results of this study showed that for mid-size organizations, the total cost of compliance with regulations such as PCI-DSS, SoX, HIPAA and others, averages $3.5 million. However, the cost of non-compliance
was measured at $9.4 million, nearly triple the cost of compliance. While these figures illustrate a sizeable benefit for investment in compliance, the cost burden remains high.

So, what strategies can be employed to reduce the complexities and costs of a PCI implementation? What are the principal concerns to consider in terms of PCI implementation?

PCI-DSS is multi-disciplinary and to fully comply with the standard, it is essential to take a global consolidated approach to address all 12 requirements as a whole before focusing on solving individual elements. The core IT disciplines to be considered are: Networking – Fixed and Wireless; Data and Databases; IT Assets/ End-Points; and Web Applications.

Fixed Network

The PCI core requirement covers controlled network segregation, inbound/outbound traffic flows and DMZ implementation. Specific functions include: real-time perimeter anti-virus, IPSec/VPN tunneling support, IDS/IPS, use of strong cryptography (SSL/IPSec), default ‘deny-all’ settings, support of digital certificates and two-factor user authentication, event monitoring, federated device management and reporting, and network vulnerability analysis support.

These services cannot be provided by a legacy firewall, even a so-called next-generation firewall. The only way to cost effectively provide all these services and avoid the deployment of multiple devices is through the use of a Unified Threat Management (UTM) device. A UTM-based solution can help organizations cover the fixed network requirements of PCI while achieving greater overall PCI effectiveness and simultaneously minimize implementation and operational costs.

Wireless Network

In many ways, the wireless network is subject to the same constraints as the fixed network but it must also meet the following key functions:
1) Support for both ‘thick’ and ‘thin’ access point (AP) solutions that can work in a seamless management framework

2) Detection of rogue APs against a defined hardware inventory

3) Support and logging of wireless IDS/IPS

4) Support for WPA or WPA2 Enterprise mode with 802.1X authentication and AES encryption

In practice, the best approach in larger deployments is to minimize the deployment of thick APs, which have wireless control, IPS and other security features built into the physical devices, and favor the deployment of thin access points, which are much easier to manage and maintain. Thin APs tunnel wireless traffic to wireless controllers, allowing significant economies of scale and a simplified security management capability through a ‘single pane of glass’ management console for increased visibility and policy enforcement.

IT Assets / Endpoints

IT assets include servers, desktops, laptops, operating systems, mobile devices and network equipment. The objective is to ensure that all assets that constitute the PCI cardholder data environment are subject to core security management processes.

Here, in order to have the most effective approach in meeting the PCI DSS requirements at minimal cost and complexity, it is important to consider the management of deployed endpoint security technologies and controls. The top 5 elements on the checklist are:

1) Support for asset vulnerability management to ensure that all operating systems are patched to the latest version and to assess configuration specific vulnerabilities
2) Configuration management capability against globally accepted best practices for operating system platform deployment (e.g. NIST, FDCC)
3) Endpoint policy control to blacklist/ whitelist software, processes, devices, drivers, access lists etc….

4) Automated remediation of configuration and audit issues for costeffective operation
5) Deployment of client/mobile device anti-virus, preferably administered centrally

Data & Databases

It is impossible to comply with PCI DSS without implementing a database security solution to protect against data loss or fraud. Whether due to an error or a deliberate intent to harm, data loss can have serious consequences. In order to meet PCI-DSS compliance, a database security solution must include:
1) Database-specific vulnerability assessment and penetration testing
2) Configuration management for assessment against global best practices and/or the organization’s own data security standards
3) Access control assessment both at the database and application levels
4) Real-time monitoring of database users and their activity on both database and critical cardholder data.

In order to simplify the creation and enforcement of data security policies that will help meet PCI-DSS compliance, it is important to look for a centrallymanaged database security solution that provides all of the above features on one device.
Enhanced solutions include features such as automatic database and sensitive data discovery. Other desirable functions include pre-built policies that cover standard industry and government requirements which when combined with a comprehensive set of graphical reports deliver out-of-the-box readiness and immediate value for PCI-DSS    compliance.

Web Applications

Since web applications are exposed to the outside world by definition, the PCIDSS standard addresses them in detail in requirement 6.6. There are two methods that a company can apply in order to be in compliance with PCI DSS: a) Conduct yearly code reviews or b) Deploy a Web application firewall. While code reviews/testing is important, a significant cost saving can be made through the implementation of a Web application firewall.

The key functions that should be included in such a solution include:

1) Support of OWASP Web security guidance, cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerability protection
2) Support for DoS and buffer overflow attacks at both the HTML and HTTP level
3) Access control and web application  user authentication

4) Monitoring and management of error events
5) Incorporation of a web application vulnerability scanning capability for regular internal scans.

Conclusion

The multi-disciplinary nature of PCI-DSS requires the deployment of a variety of different security technologies. Consequently, organizations often deploy a combination of security technologies from different vendors in order to fully address the requirements of the standard. Unfortunately, using a large number of solutions from a variety of vendors often results in a wide array of disparate products and services introduced into the PCI solution.

The result is spiraling complexity (in terms of support, maintenance, resource training, etc.) and increased total cost of ownership. Minimizing the number of vendors to work with, to a single one if possible, is the only way to dramatically reduce both operating and  capital expenses while removing complexity  from implementation and management.

A common platform provided by a single  vendor will also enable you to enhance your  security posture, coverage and visibility for   a lower overall risk of PCI project failure. In  summary, a consolidated approach allows  you to increase performance, improve  security and reduce cost

About The Author

Hatem Ali, Country Manager,Egypt,Libya and East Africa at Fortinet