This is the first of several posts regarding PCI compliance imposed by the credit card industry. With deadlines approaching on December 31st, 2007 many organizations are not compliant - what does this mean to you?
Achieving PCI compliance has been on the forefront of many organizations as of late with compliance for Level 1 and 2 merchants looming on the 31st… and I ask myself “Why are things taking so long?” The truth of the matter is, technology is not simple and applications don’t change overnight.
Organizations are scrambling to meet compliance deadlines, with deadlines quickly approaching. A realistic approach to meeting PCI standards requires taking a step back and viewing things from 100′ above. Where are your weak points? What data can you limit access to? Are you making your changes securely? A focus on best practices is the approach to take. PCI was introduced in 2004 and now, three years later; organizations are still taken by surprise. Security standards didn’t just arrive.
A pragmatic approach deals with the immediate - is your storing of credit card data insecure? If your core method of retaining credit card data is insecure - nothing else matters. Compromise my web servers, decrypt my in-flight SSL just don’t get into my database. Companies need to approach PCI and security compliance in general from a PR and business standpoint. A compromise will ruin your business.
So what can a systems architect do? You can begin by ensuring all in flight data is secure, that stored data is secure, use finite lifetime tokens, PKI for applications and protect that information. Store your source securely, restrict it’s access. Systems administrators - control your infrastructure, build it securely, use images, use kickstart/jumpstart, manage your software/packages centrally, integrate logins centrally, log all data, use Splunk to mine your logged data for all events. Securely managing an enterprise infrastructure is a full time job. It takes effort to audit logs - automate it.
Take security scans with a grain of salt but don’t ignore the glaring issues - are you putting it off because it’s not valid or because it’s a lot of work?
The First Line of Defense:
Every online presence, Point of Sale and organization has dozens of entry points to its data. Protect each one. Having a firewall need not mean security. The greatest threat to any organization is its own employees. They are already inside your environment and considered trusted.
Leave a Reply