PCI's Post-Audit Pain Points
Passed your first PCI compliance audit? You've only just begun! Veterans say ongoing challenges with log management, database encryption and upper management buy-in mean the task is never finished
By Bill Brenner , Senior Editor
November 05, 2008 — CSO —
Those who thought their PCI security challenges would be over after the first passing compliance audit say they continue to be dogged by the same problems that caused pain in the beginning.
For Jennifer Atwell, point-of-sale and communication support manager at Apple Gold Group, log management continues to be a pesky nuisance.
"Log management, while necessary, has turned out to be the biggest issue for us," says Atwell, who is based in the Raleigh-Durham, North Carolina area. "Partnering with a good vendor helps, but when you're starting from scratch, it's a big project."
Legacy applications continue to challenge PCI security at Lifestyle Services Group, according to Jim Griffiths, the company's UK-based information security and compliance chief. And at the National Bank of Kuwait, Information Security Officer Imran Minhas continues to be challenged by the task of database encryption.
"Database encryption is turning out to be a huge project in itself," Minhas says. "A place where no cardholder data is encrypted at all, all of a sudden has to encrypt almost every one of its databases. It's a bit hard to get everyone to prioritize this project to everything else. Upper management is good with it, but it comes down to the people who are going to implement the solutions."
The top brass may be fully supportive during that initial PCI security effort. But once that first audit is complete and the company gets a passing grade, the executives assume the task is done. Instead, security pros have found that the work is never done.
"Everyone, especially senior management, thinks that if we pass a PCI audit then we are safe for a year," says one network security administrator for a company in New York City, who asked that his name not be used because he was not authorized by his company to speak on the issue. "There's a perception that PCI-compliant shops are perfect."
The upper management problem
Others polled by CSOonline reported running into the same wall he spoke of. Daniel Blander, a CISM, CISSP and president of Techtonica Inc. in Los Angeles, says he has seen the problem up close.
"Having worked on two PCI projects, the biggest challenge is typically management's view, 'Well, were compliant, so we're done.'" He says. "Some parts of management understand the 'why' of PCI, but don't understand overall risk management. Maintaining attention after the fact is the biggest challenge."