The Payment Card Industry Security Standards Council has tried many different approaches to getting merchants interested in PCI Compliance.  In an effort to grab merchants’ attention, the PCI SSC has put out animated videos that are based more on humor than the typical dry education and information.   The videos provide insight into what PCI compliance is, however, they do so in a fun, light-hearted manner.

The first video the PCI SSC released was PCI Data Security Standards Rock. The video took the complex task of the PCI compliance requirements and simplified the message.  The entire video is conveyed through song and focuses on the basic concepts of all 12 requirements using humor and imagery to keep viewers’ attention.

The latest video released by the PCI SSC is The Evolution of Payment Card Security.  This video shows silly ways in which security practices may have evolved over time as they relate to payment cards, (or as they say the caveman referred to them, the payment rock).  The video is very entertaining.  Check it out for yourself!

If you store, process or transmit credit card data the PCI DSS requires you to have vulnerability scans performed on a quarterly basis both internally and externally.   Vulnerability scans help to detect threats to your cardholder data environment and act as a way to monitor the security of your network.

By definition, vulnerability scanning is the automated process of proactively identifying vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened.  External and internal vulnerability scanning are two different processes which are performed separately.  Therefore, it is important that you as a merchant understand the difference.

External Vulnerability Scanning

The easiest way to explain external vulnerability scanning is to think of it as a security guard that drives around a building to make sure that there are no open doors or broken windows that could pose as a way for an individual to gain unauthorized access into the building.  In other words, external scanning is evaluating the security of your network from the perimeter of your firewall device.  Whatever goes into or out of your network will be identified and assessed by this scanning process.

When vulnerability scans are performed they scan the target IP address and check if anything is exposed to the internet and if anything is vulnerable to exploitation.   External vulnerability scanning, according to the PCI-DSS must be completed by an Approved Scanning Vendor (ASV).  SecureConnect is one of the 133 companies that have received this ASV certification.  We perform thousands of external vulnerability scans per year as one of the services offered to help merchants in their PCI compliance efforts.  (more…)

Implement Strong Access Control Measures

Requirement 8 of the PCI DSS: Assign a unique ID to each person with computer access – Part 1

The PCI DSS says that, “Assigning a unique identification (ID) to each person with access ensures that each individual is uniquely accountable for his or her actions. When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users.”

Usernames, passwords, two-factor authentication, biometrics, user access, password policies; are you overwhelmed yet?  After reading this blog I hope you find requirement 8 of the PCI DSS a bit more user friendly.  I have worked with a number of merchants, even some POS vendors who do not understand the importance of unique usernames and passwords.  Having your users set up with unique usernames and passwords is going to make things significantly easier to manage, monitor and track if something were to go wrong.  I have broken requirement 8 into two manageable blog parts due to the amount of detail and information involved with the requirement.  Part one of this two part blog will focus on the importance of having your users set up with unique user ID’s and passwords, and how that will help you manage your environment easier.  (more…)

Maintain a Vulnerability Management Program                                              

Requirement 6 of the PCI DSS: Develop and maintain secure systems and applications

Requirement 5 of the PCI DSS covers malware and how to best protect yourself from inviting or sending malicious software in and around your network.  Requirement 6 takes it a step further and talks about keeping all of the software that is used on a daily basis up to date.  It is imperative that you apply all current security patches to every piece of software that you are using within the credit card environment.

Requirement 6.1 reads: Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed.  Install critical security patches within one month of release.

It is a common misconception that if a merchant has their Microsoft Windows embedded terminals and Windows based computers set to automatically download and install Windows updates that they have met this requirement.  However, requirement 6.1 emphasizes the word all, and just applying Windows Updates is not going to cover all of the software that you use on a daily basis.  For instance, if you use an additional web browser, like Mozilla Firefox or Google Chrome, Windows Updates does not provide any security patches for those browsers.  Think of all the different programs, applications and tools you use on your computer. Keeping all those different kinds of software up to date may seem like a daunting task but it is absolutely necessary.  Malicious individuals prey on sites that have security vulnerabilities as they can easily gain access to systems and even elevate privileges and take over the system or systems.  (more…)

Think about all of the different things that you track on a daily basis – whether it is regularly checking in on friends on Facebook, watching the Twitter feeds of people’s daily activities, tracking a package you have sent or are receiving or even if you are one of those parents who use GPS on phones to track the whereabouts of their children.  So if people habitually track friends through social media or regularly monitor the location of particular people or things, then what are people doing to track some of their most valuable assets in their business?  The majority of businesses out there are not leveraging the proper tracking tools that can help protect their business, especially their cardholder data network. But why not?  Ignoring a basic practice like monitoring the network for unusual activity can put valuable customer credit card data or employee information at risk, which ultimately puts the entire business at risk.

The PCI Council has weighed in on this very topic by stating, “Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise.” Payment Card Industry Data Security Standard: Version  2.0

To provide guidance on what needs to be done; PCI DSS 2.0 Requirement 10 is specifically focused around data logging for devices in the Cardholder Data Environment (CDE).  Thorough data logging is crucial for maintaining proper security and should not be overlooked. It is especially important in the event of a suspected or confirmed data breach so authorities are best able to track any possible vulnerabilities or unauthorized access to the network.  (more…)