NetSPI Blog » pci compliance

Posts Tagged ‘pci compliance’

Common Compliance Hurdles Part 1: Increased PCI Scope

Ryan Wakeham | Tuesday, March 30th, 2010

Looking over the findings of the last few dozen PCI gap assessments that NetSPI has performed, I am struck by the fact that today, well into version 1.2 of the Payment Card Industry Data Security Standard (PCI DSS, or just DSS), one of our most common findings remains increased scope due to lack of network segmentation. For example, we have seen numerous merchants with relatively simple payment processing environments that have a very large and complicated PCI scope and must bear the associated costs (e.g., develop and apply hardened system configurations, pay for external scanning services, etc.). In some cases, the merchant may not even have a real business need to store cardholder data (i.e. they could simplify their business processes and complete a Self Assessment Questionnaire C rather than the much longer SAQ D) but, even if they do, the scope of compliance is often far larger than necessary. Limiting the scope of the systems that are required to meet PCI DSS compliance gives merchants and service providers the best “bang for their buck” in terms of reaching their compliance goals, yet it seems that many merchants struggle with defining and implementing the controls necessary to do just this.

The first step in reducing the PCI scope through segmentation is to determine exactly which systems store, process, or transmit cardholder data. While this may be very straightforward for some organizations, it may be helpful to create a cardholder data flow diagram for more complex environments. Once cardholder data systems have been identified, a process of isolation and segmentation can begin. Ideally, cardholder data systems should be segregated off in a “PCI island” by a stateful firewall; Internet-facing systems should be placed in a separate DMZ segment. Once these major changes have occurred, locking down and documenting the firewall ruleset, implementing the necessary management processes, and other items detailed in Requirement 1 are much easier to address.

Though this process may look simple on paper, it can often involve the rearchitecture of not just the network but also individual systems, as PCI-related applications and functions should be isolated from other business functions (e.g., a database containing a parts inventory along with invoicing and payment information should be separated into individual databases in isolated network zones). However, through proper segmentation, merchants and service providers can significantly reduce the cost and scope of compliance and need only apply the DSS to systems and devices that store, process, or transmit PCI data.

Permalink | Email the Author | No Comments

Tags: compliance, PCI audit, pci compliance, pci gap analysis, PCI Scope, PCI-DSS, PCI/PA-DSS Compliance

Security, Compliance, and the New Retail Economy

Alex Crittenden | Monday, September 21st, 2009

As the PCI Community Meeting is set to start tomorrow, I have been thinking about the current state of the retail marketplace and what that means for NetSPI’s focus–security and compliance.

During the down economic times no retailer really came through unscathed. Everyone suffered to some degree, but even during the most difficult periods of this recent recession, retailers that were well-run and focused on a strategic vision managed to weather the storm and to prepare themselves for the coming improvement in market conditions.

Interestingly enough, during this same period the attitude towards compliance and security also shifted within the management ranks at these same organizations. What was once something they hoped to avoid became not just accepted, but in some ways welcomed. The realization that compliance and security were not just checklist items, but rather could provide strategic advantage really sank in, and these leading retailers began to use the requirements of PCI (for example) to re-invigorate broader security initiatives and to use any technical or policy adjustments as opportunities to simplify their security scope and implement better overall security policy.

NetSPI’s retail clients expanded their security efforts during these poor economic times and now sit in a position where they can leverage that effort into a better experience for their customers as well as for their own employees. For them it was another facet of their plan to better position their company to lead in an improved economy.

We are now starting to see that trend expand to retail organizations that have been harder hit during the recession. Organizations that are in transition are also starting to see the light and to understand that, by taking a strategic approach to compliance and security, they will ultimately position themselves to fit better with the new attitudes of consumers. Consumers are not as brand-loyal as they were before the economic challenges and are far less forgiving of a retailer that doesn’t take their private information seriously.

With the economy showing signs of improvement, a rebirth is beginning in the retail space. Activities that have been conspicuously absent for the last few years–acquisitions, major technology investment, location expansion, and even IPOs–are starting to make headlines in the trade magazines and the broader press. This is a good sign for both the retail community and our economy at large, but the organizations that will take the lead over the next few years and separate themselves from the pack are those companies that have both a strategic vision (which includes security) and the ability to execute effectively.

Permalink | Email the Author | No Comments

Tags: attitude toward security, pci compliance, retail economy