In 2014, U.S. payment card fraud totaled approximately $7.9B. And the sting of major data breaches at Home Depot and Target has yet to subside. So clearly, there’s still work to do when it comes to securing cardholder data and the infrastructure that transmits and stores it. That puts even more of a spotlight on the coming upgrade to the Payment Card Industry Data Security Standard (PCI DSS).
The deadline for PCI 3.0 compliance looms—July 1 of this year. PCI regulations apply to any organization, regardless of size or number of transactions, which accepts, transmits, or stores cardholder data. Compliance violations come with a steep price, anywhere from $5,000 to $100,000 per month.
What does it take to comply with PCI 3.0? Really, the same thing it took to comply with PCI 2.0. Only more of it, with higher stakes and greater scrutiny.
The first stop on any organization’s PCI compliance road map should be assessment. You need to identify all the network locations where cardholder data resides and take an inventory of the IT infrastructure assets and business processes involved in payment card processing.
This defines the scope of the cardholder data environment (CDE). It pinpoints all system components that are located within or connected to that environment, which comprises the people, processes, and technology that handle cardholder or sensitive authentication data. Once you’ve thoroughly defined the CDE, assessment should focus on uncovering vulnerabilities that could expose cardholder data.
System components include network devices (wired and wireless), servers, and applications, as well as their virtualized counterparts. And this scoping exercise needs to include on-premise components and those managed by third-party vendors.
As one Fortune 100 retailer noted: “The difference between what we know is in our environment and what’s REALLY out there isn’t just a gap, it’s a chasm!”
Well, that just won’t do for PCI compliance.
Automate Scanning of the Cardholder Data Environment
Like the Fortune 100 retailer, most organizations have that “chasm.” To close it,
IT needs to move beyond manual processes that produce static asset inventory spreadsheets. Especially in large, complex CDEs that span multiple geographic locations—which describes many regional and national retailers—static inventories become obsolete almost before they’re complete. Throw virtualization into the mix and proprietary, third-party systems maintained by outside personnel such as application vendors or system integrators) and you have the perfect recipe for non-compliance.
Beware of agent-based scanning solutions.They can only provide details for the assets on which they’re deployed. You can’t place agents on assets you haven’t identified—for example, zombie servers.
Prepare for More Rigorous Penetration Testing
One of the major changes between PCI 2.0 and 3.0 centers on penetration testing. You must verify the methods used to segment the CDE from other IT infrastructure. And you can’t provide complete penetration testing without an accurate inventory of all your assets. This is especially true now that penetration testing activities (internal and external) must follow an “industry-accepted penetration testing methodology,” such as that detailed in the Technical Guide to Information Security Testing and Assessment published by National Institute of Standards and Technology (NIST).
BMC Discovery: PCI Compliance Peace of Mind
With BMC Discovery, you can meet the PCI 3.0 compliance deadline while
creating a dynamic, holistic view of all data center assets, the relationships between them, and how those assets support the business. BMC Discovery can:
- Scan and inventory your entire infrastructure with up to 100 percent accuracy in just 15 minutes
- Describe how assets relate to one another
- Build application maps from any starting point or any piece of information
- Define precisely which assets touch cardholder data
- Identify vulnerabilities that must be resolved to meet PCI regulations
These postings are my own and do not necessarily represent BMC's position, strategies, or opinion.
See an error or have a suggestion? Please let us know by emailing email@example.com.