November 20, 2009

Clearing the Mystery of PCI Compliance (Part 3)

Posted by 2Checkout Category Icon2Checkout Category IconTechnology

We are at the half-way mark in becoming PCI Compliant. We took a little break for Fraud Awareness Week and now we are ready to “Maintain a Vulnerability Management System”. Our previous efforts have been focused on Building and Maintaining a Secure Network and Protecting Cardholder Data. We now have a firewall, clear policies regarding the type of information we will store, and the length of time we will store it. We even have encryption software and an SSL certificate. Congratulations!

Now, we need to Maintain a Vulnerability Management Program. This comes in two parts. First, we need to use and regularly update anti-virus software. Then, we have to develop and maintain secure systems and applications. I know what anti-virus software is, so let’s start there.

Before we look into AV software, I want to give one bit of basic Internet advice. If you don’t know/trust a person or site – don’t download ANYTHING they send you if you don’t have AV protection. The most common method of catching a computer virus is still from opened email attachments. Most people have some anti-virus (AV) protection for their computers, but to be PCI compliant, we need to look into software that will protect every computer and device connected to the Internet through our network.

There are a number of companies that make anti-virus software, compile virus databases, and offer frequent updates. Most of these companies have PCI compliant versions of their software. The standard single-PC software will cost $50 – $75 for a year’s worth of automatic updates. Unfortunately, this level of protection, while typically excellent for home users, will not meet PCI compliance. Part of the reason for this is that PCI compliance requires that your AV software be able to monitor and generate reports detailing what viruses it has caught/contained. We need to look at the more robust offerings for business networks. The range of prices in this field is vast from $350 – nearly $3,000 yearly. The top end software is really more of an anti-virus “system” that protects mainframes and large networks, so we can breathe a sigh of relief and look a little lower on the price points. For covering a network with a few devices for one year, including unlimited updates, and support, the average cost settles in at about $500-$700.

The next standard, “Develop and Maintain Secure Systems and Applications”, requires a little more than picking anti-virus software that will meet your needs. Looking at the requirements to meet this standard, it becomes obvious that we either need to know our way around a network, or we need to get our networking expert back to test our network after each update, make sure that we have a separate part of the network used only for testing applications, and system monitors that watch our network. Because of the scope of this requirement, the next article will be devoted to addressing the various aspects of maintaining the security of our systems and applications.