If you are in the financial services industry, how do you create a secure environment that is compliant with the Payment Card Industry Data Security Standard (PCI DSS)?
Every other day, the Internet is flooded with reports of card holder information theft, financial data loss due to misconfigured ‘secure network environment’, identity theft and so on.
To start with, the PCI DSS compliance standard defines various merchant levels, validation types, and most importantly, PCI requirements (12 requirements) and hundreds of controls/sub-controls that ought to be followed to the letter.
According to a recent Verizon 2014 PCI Compliance Report, only 11.1% of companies passed all 12 requirements, and a little over 50% of companies passed 7 requirements.
Hackers are upping their ante. Getting into the specifics of PCI DSS compliance to protect financial data can be daunting, yet unavoidable. Well, the good news is, with a proper NCCM software, you can ensure that:
- Your network is secure and compliant
- You efficiently pass audits and avoid ‘last minute’ pressure (not to mention that unique combination of surprise audits & Murphy’s Law!), and
- You don’t contribute to the ‘cost of non-compliance’
Cost of PCI DSS non-compliance
Costs incurred in terms of heavy fines (millions of USD) for regulatory non-compliance, and/or, losing financial data amounting to millions/billions of dollars.
Some inconvenient stats: Global card fraud – over $11 billion in 2012 (The Nilson Report, 2013). Losses from fraud using cards issued in Single Euro Payments Area (SEPA) is about €1.33 billion, in 2012 (Third Report on Card Fraud, European Central Bank).
Ensuring 100% PCI compliance in your network can be challenging due to one or more of the following:
- Many routers, switches and firewalls – manually tracking configuration changes is a pain
- Manually running cron jobs to backup configurations – time consuming/error-prone
- Manually pushing configs via TFTP servers, to the network devices
- Manually checking PCI requirements on a periodic basis, and apply changes as appropriate
- Your existing software not supporting a multi-vendor environment
- You don’t have visibility to what changed when, and by who
- The current manual processes are outrageously laborious as you may have hundreds of network devices to manage, and too few network admins
Of course, all network admins try their best to ensure compliance and keep their networks secure, doing so in their own style. A few important things they may need, to better manage compliance would be:
- Getting hold of readily available PCI reports
- Having fine control over policies, reports and rules
- Automating remediation scripts on a node or bunch of nodes
- Change approval management
- Backing-up/updating/restoring devices to compliant configurations when config changes go awry
The PCI DSS standard is here to stay, and it’s only going to get tougher and tougher to counter the rising fraud rates. So, how are you coping up in complying with PCI standards?