In Depth

Lightening the PCI Load: Solutions to Reduce PCI Scope

Expert guidance on saving time and money by carefully scoping PCI validation efforts

By David Mundhenk and Ben Rothke

Page 3

In some instances the network traffic generated by such malware infected systems can be so intensive as to effectively reduce or even completely consume all available network bandwidth. The net result can be the impaired performance of all production systems including those processing credit card payments. Having the appropriate anti-virus/malware protection implemented in both PCI and non-PCI environments protects both and offers measurably enhanced protection for CHI systems.

Consider another similar example with a Point of Sale (POS) system. A customer swipes their credit card through a card reader integrated within a POS system. The cardholder information is supposedly encrypted at the swipe via a PCI compliant encryption scheme, and the information is sent to the gateway for a payment processor and not decrypted until it reaches the processor network. The $64,000 question is this: is the POS system out-of-scope for PCI?

Many people, even including some POS vendors, would say "Of course not". The truth is that they are absolutely in-scope for PCI, because it is processing cardholder data. It does matter that it is encrypted; however, the fact that the data is encrypted does not absolve the POS system from PCI compliance requirements. It is incumbent upon the merchant and especially any QSA reviewing such an implementation to validate that the data resulting from the card swipe is properly encrypted. They should ensure that there is no data leakage in the process.

If the POS system is Windows-based, then an appropriate anti-virus product should be installed as a part of the POS image. The POS image should also be appropriately updated with relevant operating system security patches in a timely fashion. If this is not possible (often due to POS resource consumption constraints) then some other malware vulnerability controls must be implemented.

The fact that anti-virus software is inadequate for POS implementations or other resource constrained systems is not a new problem. Two years ago, articles such as The decline of antivirus and the rise of Whitelisting started appearing. Some firms propose using application white-listing as a possible substitute for anti-virus/malware prevention and this solution has been given serious consideration by both QSAs and the PCI SSC (Security Standards Council).

Also, if the POS is IP-based and is networked, then it should also be scanned for possible vulnerabilities. Once again, in this instance the PCI scope has been reduced since the cardholder data is encrypted as a part of the card swipe process, however, the POS system is still very much in scope for PCI compliance requirements. Nonetheless, in such a scenario one cannot simply remove the POS device(s) from PCI scope consideration simply because the CHI is encrypted at the reader and the POS does not have the resources to support malware detection capabilities. The cumulative effect of requiring that all systems, personnel, and business processes become compliant with all relevant PCI requirements, namely regarding the storing and/or processing of cardholder data, is considered to be the scope' of PCI compliance and validation.

PCI

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast

Featured Sponsors