News
PCI's Post-Audit Pain Points
Passed your first PCI compliance audit? You've only just begun! Veterans say ongoing challenges with log management, database encryption and upper management buy-in mean the task is never finished
By Bill Brenner, Senior Editor
Serg Anishchenko, the technical manager at a company in Hungary, offered a "funny" example of how clueless upper management can be:
"They were sure I would be able to fix the system alone in couple of weeks," he says of the top brass at his company. "Another challenge is working out a roadmap to find the easiest way to get compliant and stay that way for the longest period of time."
Tim Holman, senior consultant at QCC Information Security Ltd. in the UK, says PCI security is still generally being seen as an IT security project, lacking buy-in from senior management, which "leads to all sorts of fun and games." Taking credit card payments is rarely seen as a risk at the board level.
Documentation, please
The second-biggest ongoing challenge security pros mentioned is log management and documentation. Auditors rabidly digest those logs during audits, and they are a critical tool for spotting security holes and attempted breaches. Unfortunately, good log management isn't an easy process to maintain.
"My experience with PCI DSS compliance showed that documentation is a problem. Merchants could have good security installations, but it's a problem to write policy for change management procedures," says Dmitriy Tsygankov, director of the corporate customer care center at Swedbank in Ukraine. "It's not difficult to change IP tables or to buy a new server, but it's much more difficult to use and control all procedures" once they are in place, according the documentation procedures.
Survival tips
Blander says there are a host of other PCI challenges companies continue to wrestle with. For one thing, he says, the sheer scope of remediation can be overwhelming, given that the standards are so broad. "For a retailer that means all stores (typically in the many hundreds)," he says. "The sheer cost of addressing that large a scope is a factor given the current state of retail. This doesn't make the standards bad, just a challenge to tightening budgets and limited resources."
His advice is to not let the scope of the challenge get the better of the organization, and use every remediation and control to give something back to the business that provides a non-PCI return on investment.
"File integrity monitoring is great for improving the quality of implementations and maintaining configuration standards if used correctly; configuration standards can improve the delivery of services and systems by promoting consistency," he says, noting that's good for business as a whole.
Griffiths has experienced many of the challenges listed above. But he remains confident in his organization's ability to do right by PCI security.
PCI
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Sustaining SOX Compliance: Best Practices to Mitigate Risk, Automate Compliance, and Reduce Costs
- Beyond PCI Checklists: Securing Cardholder Data with Enhanced File Integrity Monitoring
- Credit Issuers: Stop Application Fraud at the Source with Device Reputation
- CSO's Guide to Security and Compliance
- Understanding Data Location is Imperative for Data Loss Prevention
- FISMA and FDCC Compliance: Millennium Challenge Corporation
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
