December 11, 2009

Clearing the Mystery of PCI Compliance (Part6)

Posted by 2Checkout Category Icon2Checkout Category IconTechnology

This week, we move on from creating our secure network and start to develop a system to monitor the network, alert us if there is any suspicious activity, and regularly test our security procedures. We have moved on to two parts of PCI compliance that need to continue through the life of our company. These categories are more involved both technically and administratively than requirements that we looked at in past weeks. These requirements address the fact that as new applications, operating systems, and technology develops, new ways around existing security measures will also develop.

Requirement 10: Track and monitor all access to network resources and cardholder data

Requirement 11: Regularly test security systems and processes

The reason we need to have individual logins mentioned in last week’s article is so that we can limit, monitor, and track access to network resources and cardholder data. In the event of a security breach, these records allow us to find whose account was used to compromise the data and mitigate the damage done to our customers. We need to audit all accesses to customer data, review audit logs each day, and be able to reconstruct events that touch cardholder information. We also need to be able to provide detailed audit trails for all administrative events. An attempt to change system configuration for malicious purposes will be captured and can be traced back to the user. A central logging solution along with the policies we developed previously will allow us to track internal access to our network and record actions that take place.

Auditing of network access attempts and tracking of access logs is a critical aspect of this requirement. Most operating systems have very basic utilities that monitor and record events. For the most part, the event browsing and filtering capabilities provided by these utilities are restricted and will not meet PCI standards. For instance, unauthorized access to a customer’s information will not, by default, alert anyone that the event has been logged, it will only be discovered later when someone does an audit. Because of these limitations, we will need to look for some companies to provide us with some assistance.

Thankfully, we can find a number of Security Information Management (SIM) products that maintain comprehensive log management. These tools can automate collecting data, issue needed alerts, and give very detailed reports. SIMs will will also help give us a baseline of normal network activity. We can use this information to establish rules to categorize events. When an event happens that falls outside of these rules a SIM can trigger an alert letting us know of potential security violations. Many security information management products also provide default rule sets that classify events according to PCI requirements.

Now we need to plan to test our network and security measures at least once each year. It is important to note that we cannot use actual customer data for these tests. While your computer may be safe now, new ways to compromise your computer and new vulnerabilities are constantly being developed or discovered. It is important to test your systems and your network to make sure your customers’ information is as safe as it can be. This is not the same as testing new applications as discussed previously.

When it comes to scanning our systems for vulnerabilities, we need to use the right tools and techniques to expose vulnerabilities in devices on both wired and wireless networks. There are a number of security risks linked to wireless devices, weak encryption methods, and the lack of employee security awareness. Therefore, we need to test everything that touches customer information – from how easily our network can be compromised to how we access the data. The Payment Card Industry requires that we have a “PCI approved” company perform an external scan of our system to determine our general safety.

It is important that our software and hardware gets regularly patched with the latest security updates. In addition to the regular patching process, our network and applications can be protected from security threats by the consistent use of vulnerability scanners that can see all of the applications and devices on the network, identify vulnerabilities, and supply information to resolve these vulnerabilities. However, scanning our network will not reveal every potential vulnerability. To be aware of our ability to detect and counter any unwanted access to our systems, we need to perform a penetration test that measures how well we can respond to and withstand an attack. This test exploits vulnerabilities so we can determine the actual risk to our specific system of any particular vulnerabilities. PCI requires an annual external penetration test. This test is in addition our regular scanning and audits of our security logs.

To comply with these particular PCI requirements, we will need to provide some financial investment in a Security Management System and a vulnerability scanner. We will also need to invest time finding a specialist to perform a penetration test correctly. Thankfully, we decided to have our firewall and software applications automatically update with security fixes. This lets us be sure that what we are testing is the most up-to-date security for our particular system.


  • Central Logging Solution – Starts $5,000
  • Security Information Management – I found many companies willing to offer quotes, but no baseline costs.
  • Quarterly external scan – As above, due to the complexity and variety of networks, pricing will be highly varied
  • Vulnerability Scanner – Roughly $1,200 per year
  • External penetration tests minimum $10,000 per year, likely much more than that