Beyond Compliance: using PCI DSS to improve overall security

With the hack attacks of 2013 affecting payment data from US merchant giants like Target and Neiman Marcus, now is the time for commercial retailers worldwide to take a closer look at the security of their Point of Sale systems – or face the risk of becoming the next victims.

Target’s case alone exposed debit and credit card information from as many as 110 million customers, so there’s no wonder that the devastation of these attacks has prompted many retail businesses to review their compliance with Payment Card Industry Data Security Standards (PCI DSS). It comes at a relevant time too, with the updated guidelines – PCI 3.0 – going into effect just last month.

The PCI DSS compliance standard serves to protect the confidential user information behind credit card transactions – specifically, card numbers, expiry dates and card holder names. Compliance with these standards is a legal requirement, but it’s important to realize that the PCI mandate dictates an absolute minimum set of standards. This means that while organizations might be compliant with PCI, they may not necessarily be secure. Achieving both is the path to not just PCI compliance, but also to commercial success.

The entire process of PCI DSS, which is based around 12 requirements, can understandably be quite overwhelming to merchants. Fortunately, there are best practices that IT administrators within the payment card industry can follow, which make it much easier to maintain both compliance adherence and security.

AV Protection is Still Not Enough
Deploying up-to-date anti-virus and firewall solutions is a great first start at preventing malicious exploits, like those used in the Target breach, from infiltrating corporate systems. But the reality is that an egg-shell approach to security with perimeter defenses being secure while the internal defenses are weak, is simply not enough to prevent advanced attacks. The updated PCI guidelines now recognize this, dictating that AV systems should be configured so that users cannot disable or uninstall them. But even with the inbuilt anti-tamper mechanisms that come with many of these solutions, users with administrative privileges have the power to alter these configurations and even disable them. If users are able to find a way around the network’s perimeter security, so can the malware that compromises their accounts. There is always a back door into your network if you operate with admin rights, and malware writers know this.

Privilege Management: A PCI Essential
It’s not just the requirement around AV solutions that demands control of administrative privileges – several other PCI features do as well. Requirement 7, for instance, states that merchants must restrict access to cardholder data by business need-to-know; meaning that access rights should be granted only to the amount of privileges required to perform the job, and no more. Additionally, privileges should be assigned by job classification and function. Remote workers, for instance, are usually prime candidates for privileged accounts, as it’s often difficult for them to receive immediate IT support while away from the office. The irony here is that home networks are usually less secure than the business office environment.

Similarly, the Monetary Authority of Singapore (MAS) TRM guidelines for financial institutions, also encourage restricting the number of privileged accounts and only granting them on a ‘need-to-have’ basis.

The tight emphasis around control of privileges in the PCI guidelines and others is well-justified, as unchecked privileged accounts within an organization pose huge consequences. When excessive administrative rights are granted, the organization automatically opens itself up to security threats. Internally, there is greater opportunity to make system tweaks, opening the network and the corporate data it holds up to compromise, even unknowingly. A recent report found that 45 percent of IT security professionals have experienced server outages due to configuration errors by server administrators. At the same time, only 20 percent were aware of just how many admins were running with privileged accounts. In fact, Gartner estimate that 3-5% of an organization’s endpoints are compromised at any time.

Management – not Restriction – of Privileges
Removing administrative rights across the board seems to be an obvious solution that addresses both compliance adherence and security objectives. But full removal of privileges without adequate management controls in place or in depth planning has big implications for productivity. What happens if users need to complete a particular task, but lack the administrative rights necessary to do so? They are likely to make a support call to the IT help desk. As well as causing frustration, it quickly becomes an extremely burdensome and costly strain on IT resources.

Instead of removing administrative rights completely, the answer lies in the effective management of privileges as part of a defense in depth security approach. Organizations are increasingly adopting the methodology of least privilege management, where privileges are removed from the user and instead assigned directly to applications and OS executables, and elevated only when needed. With this model, users can log into corporate systems on standard user accounts, making it significantly more difficult for malware to compromise systems via a privileged account, without compromising on user flexibility or productivity.

By ensuring that privilege management is deployed as part of the wider security stack, organizations can ensure they are not just adhering to compliance standards, but are improving their overall security architecture at the same time.