For years, the financial services industry was the most targeted industry for sophisticated cyber attackers (and some not so sophisticated). This was never too surprising—attackers often follow the money, starting with the low hanging fruit. Out of all the credit card breaches that have been made public in the last several years, not many (if any) companies were truly compliant with Payment Card Industry Data Security Standards (PCI DSS). At the same time, being compliant also doesn’t mean that you are truly protecting the data that is important. Any company dealing with credit card transactions knows PCI compliance can cause major headaches. They key is to implement a plan for evaluation, remediation and ongoing management.
You’ve Spoken to a QSA—Now What?
The greatest PCI compliance challenge for any companies conducting credit card transactions is defining scope—which parts of your network actually need to adhere to PCI? You might have 500 or 1,000 people in your company on a 1Gb connection. But your PCI scope could be just 50 endpoints generating 10Mb of traffic. The cost differences from a security standpoint are massive, so defining your scope is a critical first step to compliance.
This is why you work with a Qualified Security Assessor (QSA) before upgrading your cyber security infrastructure. A QSA will conduct a comprehensive analysis of your existing environment and provide a gap assessment for achieving compliance. However, the results of a security assessment are often overwhelming—especially for organizations that have never had these security considerations before. Many companies don’t have the staff or security budget to completely overhaul their infrastructures, and may not need to. But, getting your scope and gaps properly identified first is going to set you in the right direction.
A QSA will definitely help you with this, but having an understanding of where your data exists and how you intend to monitor and secure your environment helps as well. Partnering with an MSSP is also an easy and effective way to get help in addressing PCI compliance issues and implement your controls properly. Rather than suffering through a list of objectives from a QSA, you can work with people who have expertise and experience in proper compliance implementation.
There’s More to PCI Compliance than the Data Security Standard
What we are starting to see across the industry is that there are overlapping security requirements, sometimes requiring organizations to comply with multiple frameworks simultaneously. At the end of the day, these all have the same goal in mind; protect the data and implement best-practice security measures. A great example in New York is the newly implemented Regulation 500 from the New York Department of Financial Services (DFS). For the more traditional financial services companies, this is just another regulation to manage. But for SMBs, Regulation 500 will bring entirely new, more specific, rules to comply with; possibly in addition to PCI and in some cases HIPAA.
Here are a couple key points that should be considered for most compliance programs:
- Have a plan to analyze all of your Internet traffic – Ingress and Egress traffic can tell you a great deal about the behavior of your environment and is required in most cases to help identify potential attacks.
- Create a plan to implement a SIEM or to collect your logs and analyze them on a daily basis (or more). This will cover a large number of compliance requirements in any framework, but is not an undertaking that should be taken lightly – it can be a complex process and takes a great deal of planning to implement properly.
- Do internal AND external vulnerability assessment and identify what can be fixed programmatically, while prioritizing fixing issues that are the highest threats.
- Evaluate the resources you have available to help with implementing these compliance controls as well as managing them long term – they take ongoing care and feeding to be done properly and truly get value out of them.
Choosing a security partner or MSSP that understands emerging regulations like PCI and NY 500 is a great way to get help with compliance management as well as identifying and reducing overall cyber risk. In addition to this understanding of your specific compliance needs, your MSSP must have the proper equipment to implement the necessary infrastructure for your scope.
Whether utilizing a SIEM, IDS, IPS, firewall, and/or any other tools to meet compliance, having TAPs and packet brokers in place to filter company-wide traffic into these tools is essential.