One of PCI’s goals is to make sure data security is taken seriously and they are encouraging merchants to incorporate it into ‘business as usual’ practices. Some of the areas where additional clarification was given are what I categorize as managing risk, vulnerabilities and changes. PCI-DSS should not be a check the box, or ‘Simon Says’ game but there does need to be continued education and evaluation of the risks. It does seem like a lot of additional overhead at first, but there are already existing solutions that can help to automate these processes so ‘business as usual’ won’t be all consuming.
Merchants still need to create a process that identifies risk and ranks new vulnerabilities. With the growing diversity of systems, even in card processing environments, this risk based approach helps manage the required security efforts and prioritize actions for the most concerning issues. Even better when you can automate the process of vulnerability ranking and quickly determine what systems in your environment requires urgent attention. Guidance does not change on the fact that the most critical must be dealt with within 30 days. McAfee Vulnerability Manager provides the awareness about devices on the network and can provide not only the requirement that PCI demands but allows for security-score trending. Helping towards managing security as part of business-as-usual, this scoring can track the effectiveness of the implementation and aides to visualize the risk at hand due to a lag in critical patching deployments.
Additional clarification notes that the act of doing a vulnerability scan internally or by an ASV does not replace the need for a process to actively monitor from reliable sources ongoing vulnerability alerts. Having a system that can customize risk scoring utilizing industry standard vulnerability sources and augmented with the information from the specific vendors utilized by the merchants will facilitate this directive.
I am still puzzled with regards to change detection, the specific wording was changed from specifying files integrity monitoring, but the window of comparison is still set to do this at least weekly. If the approach of this standard is to inject more risk-awareness and help merchants increase their overall security maturity this area falls short. With the assumption that any unauthorized changes within the card data environment would be a concern, only calling out monitoring critical systems is leaving a possible entry for malice. Like the changes with vulnerability monitoring a hierarchy that outlines critical system components being monitoring more frequently, while monitoring for unauthorized changes in the entire card data environment done within a longer timeframe would have been an improvement.
Regardless of what the PCI standard indicates McAfee Change Control provides real-time change detection but better yet, change prevention. Blocking unauthorized changes to the system with the option to customize filters specifically indicating what to include or exclude, allowing for authorized content and promotional updates to the point of sale systems without triggering a security event. Even though you will still need to have a process laid out that describes how one would respond to an alert, by preventing the unauthorized changes in the first place you can reduce what might be false-positives and the window to possible compromise.
Check back for upcoming blogs covering the technical aspects of PCI-DSS 3.0.