9 reasons-to-ensure-pci-compliance-web


Published on

PCI Compliance, Information Security,

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

9 reasons-to-ensure-pci-compliance-web

  1. 1. Article | Bit9 Retail and hospitality As a retail security professional, you are challenged with maintaining a constant state of PCI compliance and keeping your infrastructure safe using best-of-breed security solutions that help, rather than hinder, your quest to validate your sys- tems. Endpoint protection that is based on detecting known malware is demonstrably ineffective—and has the potential to create numerous inefficiencies across your organization. In addition, constant updating of security patches and antivirus software libraries can slow response times and leave end- points vulnerable to APT attacks. Besides potential breaches of your customers’personal information, as well as damage to your brand, a lack of endpoint control can also put you at risk for steep PCI noncompliance and regulatory penalties— fines that can range anywhere from $10,000 to $100,000 per month. Here are nine strategies to think about when looking to take control of your security and reduce the burden of achieving and maintaining PCI compliance. Nine Ways 1. Understand What’s In and Out of Scope 2. 100 Percent Detection During Your Entire Transactional Process 3. Defense in Depth: Protect Your Enterprise on Multiple Levels 4. Ease Your Scanning Overhead While Controlling Your Store Systems 5. Take Back Your Processing Power 6. Use Real-Time Sensors to Streamline Your Testing and Vulnerability Collection Process 7. Gain Visibility and Build Measurable Business Intelligence Around the Enterprise Assets 8. Protect what matters most with change control. 9. Educate and advise the business of the security and regulatory policies.
  2. 2. Understand What’s In and Out of Scope To control costs and minimize the administrative burden during the PCI compliance validation process, IT professionals spend time segmenting their network infrastructure in order to understand which sections of the enterprise are in scope for PCI. The idea is to segment out non-relevant PCI data and avoid the increased complexity of the compliance metrics against which the in-scope data is held. Providing full visibility and monitoring of all of your enterprise assets, along with templates to determine which data is PCI relevant, you can gain a quick snapshot of the corporate assets that are affected by compliance. This not only makes the task of deciding which sectors within the scope of PCI compliance are of immediate concern an easier one, but it also aids in streamlining the process associated with audit and data collection. 100 Percent Detection During Your Entire Transactional Process What if you could maintain compliance throughout every point in a transactional process? The ability to instantly detect transactional data-point infractions and prevent anything from being introduced to the system that’s outside of known and trusted software (such as advanced threats) will enable organizations to ensure that transactional data is protected at every stage in the processing. Defense in Depth: Protect Your Enterprise on Multiple Levels For a complete security solution, and to meet PCI compliance requirements, IT professionals need to ensure that they have a defense in depth strategy which makes certain that every window of opportunity to exploit their store systems, workstations and servers is kept closed. Protecting your infrastructure on multiple levels, collecting information about your endpoints in real time, and the availability of a multitude of asset information to assess the risk that any asset has to the organization’s security and compliance is fundamental to meeting that compliance. Take, as an analogy, a home security system. The system likely has both a door sensor and a motion sensor to detect the threat of someone entering either through the door or perhaps coming in through the window. The strength of this system is that if one mechanism doesn’t catch the threat, the other will. The same holds true for defense in depth when considering certain PCI requirements. Ease Your Scanning Overhead While Controlling Your Store Systems In order to meet PCI compliance, retailers must maintain a real-time inventory of all of their endpoints and servers and remain in control of their security. Using a combination of real-time sensors, cloud-based software reputation services, continuous monitoring, and a trust-based security platform, you’ll eliminate antivirus scans, free up processing power, and extend the lifecycle of your store systems. Additionally, you will have the benefit of scheduling security patches on your own timetable rather than under the schedule of the OS or the compliance regulations, and you’ll reduce the risk of compliance vulnerabilities. Take Back Your Processing Power Robust performance at the endpoint is critical to the success of adequate data collection, visibility across the enterprise, and security control. In order to maintain PCI compliance, it’s necessary to gain actionable intelligence on all of the critical file assets, applications, and data running on the endpoints, while avoiding the bottleneck that can be caused when constant scanning is applied to the collection of the intelligence. If you can set an 1 2 3 4 5
  3. 3. 96% of victims subject to PCI DSS had not achieved compliance (verizon data breach investigations report) established baseline for the software inventory on the endpoints, you can return much-needed processing cycles to the endpoint and maintain the full required visibility and control to ensure compliance. You then negate the need for constant performance- consuming profile scanning, which often brings the endpoint to a halt. Use Real-Time Sensors to Streamline Your Testing and Vulnerability Collection Process By maintaining continuous, real-time file integrity monitoring and control, you can protect your critical configuration files from unauthorized changes to meet file integrity monitoring and audit trail rules. You’ll be able to identify all suspected vulnerabilities across your enterprise and proactively take action against specific versions and types of files based on your organization’s policies. By adding individual file rights and approvals into the trust metrics for the organization, you will have complete visibility into all changes and possible new vulnerabilities that may be introduced with software updates. This increased visibility will provide a wealth of information for the penetration test and will expose all known and potential vulnerabilities which can be provided prior to the commencement of testing. It will also help to define the penetration tests that will be undertaken because the coordinates can be created against a set of known possibilities rather than against a negative set of data. Gain Visibility and Build Measurable Business Intelligence Around the Enterprise Assets What if you could measure the security risk that any particular asset has on your organization at any given point in time? By understanding and having visibility into real-time file asset inventory information, you can build intelligence around all of your file assets, including their prevalence, trust rating, threat, and inherited vulnerabilities. Having this high-level visibility will enhance your ability to report to the fullest on any asset, be it at audit time, pre-compliance assessment, or security intelligence gathering. It allows businesses to take a proactive stance against anything running within their enterprise and to sift out anything that is deemed untrustworthy or that could have a negative effect on their compliance and security posture. Protect what matters most with change control A full audit trail of all significant PCI data and the surrounding events associated with the attempted file alteration is required for auditors to quickly assess compliance and to produce the necessary reporting for compliance validation. However, the number of changes that you may have to monitor can result in a significant administrative burden. One solution is to utilize a security solution that is trust based, one that allows you to prevent changes to critical assets and greatly reduce the administrative work needed to sort through all of the expected or unexpected changes. This approach also greatly narrows the scope of ensuring the security and compliance aspects of PCI as it enables the collection and tracking of all compelling in-scope PCI-affected assets. 6 7 8 Only 76% of advanced malware is actually detected by antivirus solutions (Gartner- Burton IT1 Research. Application Control and Whitelisting for Endpoints, March 10, 2011)
  4. 4. 266 Second Avenue Waltham, MA 02451 USA P 617.393.7400 F 617.393.7499 www.bit9.com © 2012 Bit9, Inc. All rights reserved. Bit9, Inc. is a registered trademark of Bit9 Incorporated. All other trademarks and registered trademarks are the property of their respective owners. Bit9 reserves the right to change product specifications or other product information without notice. ABOUT BIT9. Bit9, the global leader in Advanced Threat Protection, protects the intellectual property (IP) of the world’s leading brands with innovative, trust-based security solutions that detect and prevent sophisticated malware and cyber threats. Bit9 stops advanced persistent threats (APTs) by combining real-time sensors, cloud- based software reputation services, continuous monitoring and trust-based application control and whitelisting. Bit9 is the only company to stop both Flame and the malware that caused the RSA breach. Educate and advise the business of the security and regulatory policies Putting a mechanism in place that guarantees the distribution and consumption of the security policy is one way to ensure compliance throughout your enterprise. And implementing a solution that provides full control through policy at the endpoint allows the security administrator to enforce the consumption of the security policy and also to track compliance to the policy in real time. A policy-based solution enables the configuration of multiple levels of control out to the endpoints and maintains visibility into the acceptance of the education, while also providing a report capability that ensures the auditors have what they need to complete the validation process. Summary Taking control of your security posture and reducing the burden of achieving and maintaining PCI compliance is a complex and multifaceted task. But one tool in the arsenal of the retail security professional should be a trust-based or“positive”security- model offering that can protect your infrastructure on multiple levels. Preventing software that is outside of the known and trusted from being introduced to the system denies it the ability to execute any malicious deeds. For more information on how Bit9’s trust-based application control solution can ease the pain of PCI compliance for you, go to www.bit9.com. 9 The food and beverage, retail and hospitality industries accounted for about 85% of data breach investigations in 2011 (Trustwave 2012 Global Security Report)