What you will learn from this tip: How using five security best practices gets you closer to compliance with the PCI Data Security Standard and helps mitigate common threats to e-business.
The media has been abuzz with a series of reports from vendors such as DSW (Designer Shoe Warehouse) and Polo Ralph Lauren regarding disturbing losses of credit card information. In response to a growing concern among cardholders about identity theft and the potential impact to their credit records, the Payment Card Industry (PCI) published the PCI Data Security Standard. Organizations that missed the June 30 deadline to comply with the standard will be relieved to note that practicing the cornerstones of sound security -- integrity, availability, confidentiality, use control and accountability -- puts them well on their way to compliance. The PCI Data Security Standard was developed by Visa and MasterCard, and endorsed by other payment vendors including American Express, Diner's Club and Discover. The Standard also includes the requirements from Visa's Cardholder Information Security Program (CISP) and MasterCard's Site Data Protection (SDP). At a high level, the Standard requires merchants and member service providers (MSPs) who store, process or transmit cardholder data to:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
PCI Security Standard in practice -- Mitigating attacks
Security of cardholder payment information is dependent on providing integrity, availability, confidentiality, use control and accountability, each of which is met by a blend of the PCI Security Standard requirements. This tip calls out five common attacks and gives one example of how compliance with the PCI Standard can mitigate the attack.
Threat: Account tampering
Integrity -- Maintain a vulnerability management program
Data integrity relates to the correctness of cardholder information as it is entered, stored, processed and maintained. An integrity attack could involve accessing the records database and changing a cardholder's account information. For example, if a merchant application is vulnerable to a buffer overflow, an attacker could access and change a cardholder's payment record from "paid in full" to "unpaid." This attack could affect the cardholder's credit limit and finance charges. Or an attacker could install a Trojan horse on a system and leverage credit information to endorse unapproved transactions, thus violating the integrity of the transaction. Maintaining a vulnerability management program can help limit these attacks by keeping patches up to date. Using updated antivirus software should prevent installation of Trojans and other malicious software.
Threat: Merchant Web site outage
Availability -- Build and maintain a secure network
Availability means systems and accounts are available when needed. An intruder may conduct an availability attack by jamming the communication path between the merchant and cardholding company to prevent transactions from being processed. If a successful denial-of-service (DoS) attack is launched against a merchant Web site, that merchant is unable to process transactions and suffers business loss. By building and maintaining a secure network that is protected by one or more firewalls, availability attacks can be mitigated or prevented.
Threat: Account or identity theft
Confidentiality -- Protect cardholder data
A major threat for cardholders and merchants is exposure of the private cardholder information. For most CNP (card not present) transactions, such as online purchases, all that's required to make the purchase is the cardholder's name and address, the account number and the expiration date. If this information is not kept confidential, an attacker can obtain it and go on a shopping spree. The PCI Security Standard requires that merchants and service providers protect stored data and encrypt cardholder data in transit (using a mechanism such as SSL) across public networks. Using encryption to protect the confidentiality of the data reduces the threat.
Threat: Internal theft
Use control -- Implement strong access control measures
Unscrupulous insiders can steal cardholder and identity information as can strangers who find loopholes in protection measures. Many companies have a variety of trust levels associated with employees; a temporary employee may not have the same trust level as a full-time one for example. However, if all employees have the same level of access to cardholder information, data theft can occur. By using internal access control measures, such as unique IDs and access restrictions based on business needs, merchants and service providers can protect cardholder information at more granular and appropriate levels.
Threat: "Ghost" attacks
Accountability -- Regularly monitor and test networks
Attacks happen and companies accept this as part of an overall risk posture. However, knowing who implemented the attack and being able to go back and place accountability for exposure can be valuable. Accountability not only enables companies to fire employees or potentially prosecute external attackers, but also allows the company to trace back how an attack occurred and make appropriate changes to the network and system security to prevent future attacks. Accountability is highly dependent on the point referenced above, access control, but is also reliant on constant monitoring. Identifying attacks quickly allows system administrators to respond and potentially trace the attack before critical log and audit information is changed, obfuscated or otherwise erased.
About the author
Diana Kelley is a Senior Analyst with Burton Group. She has extensive experience creating secure network architectures and business solutions for large corporations and delivering strategic, competitive knowledge to security software vendors.
