Posted by SecExtra on March 06th, 2008

The landscape of the retail industry is changing.  Until recently, distribution was the sector’s principal focus. Today however, following a series of major security breaches to personal data, the issue of securing business information has also become key, particularly in the context of corporate reputation and operational excellence. Dr. Anton Chuvakin, Chief Logging Evangelist at LogLogic explained more to us…

PCI DSS (which stands for Payment Card Industry Data Security Standard) compliance, which addresses the protection of cardholder data, is a recent phenomenon with the PCI Standard being launched in 2004.

Prior to this, individual card brands managed their own security standards governing the processing and handling of cardholder data.  The most widely known was Visa’s Cardholder Information Security Programme (CISP) that originally targeted its top 100 international merchants, and asked them to validate transactions against its own locally-introduced programmes.  Despite best intentions, CISP never really got off the ground.

Realising that brand-specific programmes were not going to work, and would not be scaleable on the merchant side, the five major card brands came together to form The PCI Security Standards Council and the PCI Data Security Standard.  The standard provides a process for retailers to identify at what stage in the purchasing process a cardholder’s data risks being compromised.  It also provides information on relevant controls that could be implemented to prevent this from occurring.  In a nutshell, it operates to validate and secure the entire chain of payment card processing.

On the face of it, the standard appears straightforward, with a short downloadable manual for retailers.  However, those who research thoroughly will note that it is made up of a myriad security audit procedures affecting many areas of the business, both technical and otherwise.

Maintaining the standard, and providing training, certification, and related information is the responsibility of the PCI Standards Council.  Originally, the Council imposed fines on companies that didn’t validate compliance.  However many retailers argued that achieving compliance would require the need to rebuild their entire IT infrastructure, and due to the heavy upfront cost of doing so, many would find themselves being fined.

Additionally, a rewards-based approach has since been introduced – whereby cash payments are offered to those who demonstrate they are PCI compliant, or the inter-change fees are lowered.  In the USA, Visa announced it would offer $20 million in financial incentives to create new sanctions in an effort to further merchant compliance, through its Visa PCI Compliance Acceleration Programme (PCI CAP).

With the introduction of these types of schemes, retailers no longer need to view avoiding a fine as the only reason to becoming compliant.  Instead, the driver for compliance is the opportunity to boost the bottom line which makes the investment needed to meet the standard more easily justified.

One mustn’t forget the overriding theme of PCI compliance as being the need to protect cardholder data.  The revised standard works towards ensuring that this will happen within a shorter timeframe.  In Europe, the enforcement of PCI compliance has not been aggressive and instead of retailers having to demonstrate immediate compliance, they will need to show levels of risk mitigation.

Overall, one of the main problems we at LogLogic find is that when companies take on PCI compliance as a goal or even as “a checkbox”, there is a tendency to focus too heavily on technology.  Some organisations believe that if they implement one piece of software or hardware then this will offer the entire solution to PCI.  Instead, retailers must embrace the notion and reality that PCI compliance is an ongoing process – requirements need to be met on a daily, weekly, and annual basis. Business processes therefore need to change, and resources for a one-off project are not enough.  If companies do not have the relevant support, then they need to address this to meet the way their business needs to be operated on an ongoing basis.  Becoming PCI compliant means making changes to the operation of a business, it’s not just about implementing new technology. 

And, improving security levels will in turn lead to a positive impact being made upon the business, when companies such as Visa begin to address incentives, or lower charges for interchange rates.  The more support PCI compliance has from across the business, from IT to board level, the more successful it will be.

Now is the time for retailers – at all levels – to embrace PCI compliance.  Failure to do so may not result in legal action, but it will lead to potentially putting your customers’ data at risk.

LogLogic’s log management solution enables retailers to collect and retain information and audit trail data through the payment card transaction process.  The solution collects the log event information from processing systems and other tools required for PCI compliance and through its reporting and alerting functions helps to validate these other tools and processes.  PCI Auditors will ask questions like ‘what are you doing with your logs?’, and ‘how do you react to them?’ Business leaders today are required to know exactly what goes on across an organisation.

New threats will always emerge, that’s the nature of information security.  And, when it boils down to staying on top of the game, implementing solutions that will protect customers’ data will bring massive benefits to any organisation.

The following offers a topline guide as to the typical areas of operational change and Improvement associated with successful PCI compliance:

• Formalisation and improvement in change management process
• Identity and access management (at a business process level – employee provisioning/de-provisioning and handling data/system access authorisations)
• System and network monitoring (daily operational procedures around log review, etc.)

Dr Anton Chuvakin (http://www.chuvakin.org) is a recognized security expert and book author. In his current role as a Chief Logging Evangelist with LogLogic, a log management and intelligence company, he is involved with projecting  LogLogic’s product vision and strategy to the outside world, conducting logging research as well as influencing company vision and roadmap.

A frequent conference speaker, he also represents the company at various security meetings and standards organisations. He is an author of a book “Security Warrior” and a contributor to “Know Your Enemy II”, “Information Security Management Handbook”, “Hacker’s Challenge 3″, “PCI Compliance” and the upcoming book on logs.  Anton also published numerous papers on a broad range of security and logging subjects. In his spare time he maintains his security portal http://www.info-secure.org and several blogs such as one at http://www.securitywarrior.org“