November 26, 2009

Clearing the Mystery of PCI Compliance (Part 4)

Posted by 2Checkout Category Icon2Checkout Category IconTechnology

Last week we looked at Anti-Virus(AV) software. This provides us with a reasonable level of protection so that we can protect our customers’ information. However, new threats are always being released and we need to make sure we keep updated on the latest virus or new security threat. We also need to have a place to test out software and hardware updates, as well as a place to try new shopping carts, or new pieces of code that will make our business more efficient, profitable, or just easier. Let’s take a look at the PCI Requirements on how to develop and maintain secure systems and applications.

First, we need to make sure that our computers, firewall, and any other devices we have are all updated with vendor-supplied security patches. We also need to make sure that we install any future updates within one month of release. In our example, we have agreed to a contract with our firewall and anti-virus manufacturers for a years worth of free updates. Our web browser and operating systems will also provide us with security updates. So this is already covered. Good thing we think ahead! It is our responsibility to make sure we are aware of new security threats and take steps to counter them. It isn’t a good idea to rely on one source of information, one example of a free threat alert is from Bugtraq. Your anti-virus vendor should also provide you with updated threat reports. There are others, and I recommend checking at least two alerts every day.

Now, we need to make sure that our new updates, or any other new applications for that matter, will work on our network. Unless you are comfortable working on your network alone, you will need to hire a system admin for this. We need to have a completely separate environment to develop and test all security patches and system and software configuration changes before deployment. We need this separation because we cannot use or endanger our customers’ information. If a new piece of code for our shopping cart ends up being a security risk, it’s best to find that out before our customers use it. So, separate environments for all development, new programs, everything except processing the live sales.

After testing the updates, creating a back out plan and verification process (assuming they all work with no security risks) we are ready to move them over into the “live” environment. While you have your network admin available you will want to establish a variety of procedures for when you need to make changes using your new development environment. Essentially, you need documentation stating what is being developed/tested, who recommended the development, and what testing is being done to make sure it’s safe.

If we develop or use web software and applications we need to make sure they are based on secure coding guidelines such as the Open Web Application Security Project guidelines. We have to review custom application code to identify coding vulnerabilities for each new piece of code or application we use/update. This requirement also covers the prevention of common coding vulnerabilities in software development such as buffer overflows, improper error handling, insecure storage, and the dread denial of service. This is by no means a complete list of what we need to cover, but it gives a good place to start.

I have already established my limited knowledge regarding networking, so I looked for estimates on how long it will take for a network admin to complete this project. Unfortunately, different networks and needs make estimating this job particularly difficult. The minimum estimation I have is roughly 60 hours, but they can easily go as high as 300 – 500 hours.

Now that we have our network protected with AV software and a testing/development environment to make sure that everything is secure for our customers, we should be just about finished meeting the PCI standards. Well, we are half way through – the end is in sight.

Bottom Line for Steps 5 and 6:Time:
Networking – 100 – 500 hours

Business level Anti-Virus Software: $500-$700 (Includes one year’s worth of updates)
Network Admin $1,000 – $5,000 minimum. People who specialize in PCI Compliance often charge $250+ each hour of work.