SOURCE: LockPath, Inc.


May 26, 2015 00:00 ET

The Buck Stops Here: A Solution to PCI Security

OVERLAND PARK, KS--(Marketwired - May 26, 2015) - The topic of PCI DSS 3.0 has become the proverbial dead horse to anyone involved in relevant industries. Publications have been written ad nauseum on every imaginable angle surrounding v3.0's 12 Requirements and their over-200 subsequent, articulating Requirements. Oh, and lest we forget the fiery opinion articles highlighting the short-fallings of 3.0, fueled almost entirely by examples drawn from the rash of breaches in 2014. However, enough is enough. Talk is cheap in the world of data security. Let's shift the focus, talk real solutions, and have the buck stop here.

As we should all know by now, the revisions to the existing PCI standards were designed to instill a proactive approach in protecting cardholder data. This new approach focuses on security, and not compliance. Special attention is given to areas proven to be higher threat risks, such as system vulnerabilities and malware. Regardless of one's position as to the effectiveness of PCI DSS 3.0, most would agree that this shift in tactics is essential to securing payment card data.

Updates made to PCI Data Security Standards will help organizations manage and mitigate evolving risks. The main Requirements, and their subsets, that are relevant to this conversation are as follows (with basic context provided):

  • Requirement 1 -- Installation and maintenance of firewalls
  • Requirement 5: 5.1; 5.1.2; 5.2 -- Installation, maintenance, and testing of anti-virus software with audit log generation
  • Requirement 6: 6.1; 6.2 -- Develop and maintain secure systems and applications; Documentation and prioritization/ranking of security vulnerabilities; Management and maintenance of security patches
  • Requirement 11: 11.2; 11.2.1; 11.3; 11.3.3; 11.4 -- Execution of regularly scheduled system and process vulnerability security scans, penetration testing; Resolve discovered 'high-risk' vulnerabilities

It's not hard to deduce what the brains behind these revisions were getting at when devising these Requirements listed above. The goal is an intelligence-based, proactive strategy that spans the entire vulnerability lifecycle: from discovery, to management, and eventually mitigation. This approach integrates offensive (anti-virus software, penetration testing) and defensive (firewall) measures and is designed to be implemented across an organization's complete inventory of assets dealing with payment card information. Left to conventional, antiquated methods, the execution and management of this can easily become a nightmare. However, as promised, there is a solution to effectively and efficiently handle these tasks.

This solution is called Governance, Risk Management, and Compliance software, or GRC for short. GRC solutions, including LockPath's Keylight platform, bring this once-complex strategy into a single scope, making every aspect of the vulnerability lifecycle extremely manageable and efficient by centralizing and streamlining related processes.

This strategy for v3.0 utilizes several layers of security redundancy. Albeit great for overall protection, this requires the ingestion of data from security tools on each tier. Long gone are the days of trying to read the tea leaves by digging through nonsensical scan data outputted into a multitude of spreadsheets. A GRC solution will aggregate data from the sources in the aforementioned Requirements (configuration, penetration, code, webapp, etc.) and contextualize it into consumable, visual reports. This provides organizations the ability to intelligently identify trends and maintain an asset profile of vulnerabilities and threats.

Keylight can take things a step further. Using data from these scans, risks can then be documented, analyzed for trends (which can be cross-referenced with the National Vulnerability Database and other risk database feeds), and prioritized based on any risk methodology. Remediation tasks can then be set into motion, manageable and visible by all personnel involved, through an integrated workflow. It are these integrated workflows that break down the communication silos within an organization, provide process completion transparency, and easily document progression, with time stamping, in remediation assignments for audit readiness.

The new standards of PCI will only work as effectively as organizations make them. Version 3.0 is by no means comprehensive; however, these Requirements offer a good foundation for a risk-based approach to security and compliance through capturing attestations, reports, and audits of continuous program maintenance, remediation, and improvement. With Keylight's help, companies can easily build and expand on this foundation to stack the chips of data security increasingly in their favor. In the end, those companies who walk the walk, and are vigilant in defending their customers' data, will reap the benefits.

About LockPath
LockPath is a market leader in corporate governance, risk management, regulatory compliance (GRC) and information security (InfoSec) software. The company's flexible, scalable and fully integrated suite of applications is used by organizations to automate business processes, reduce enterprise risk and demonstrate regulatory compliance to achieve audit-ready status. LockPath serves a client base of global organizations ranging from small and midsize companies to Fortune 10 enterprises in more than 15 industries. The company is headquartered in Overland Park, Kansas.

Image Available: