As part of a dynamic IT team you might not have heard of PCI (yet); however, if your company is setup to take credit cards payments for services and products PCI can potentially affect you and your IT area. Here are the top 3 things for your IT department to know about PCI:
PCI standards, credit cards, and your network
PCI DSS is an information security standard created by the biggest players in the credit card field: Visa, MasterCard, American Express, Discover, and JCB. This standard was developed to encourage and enhance cardholder data security and provide a baseline of technical and operational requirements designed to protect cardholder data (PCI SSC Reference Documents). The key words to focus on and the ones that will affect your IT Department are encourage, enhance and baseline of technical and operational requirements. Why? Read on.
There is no escape, your network, or part of your network, will be in-scope and your life will change (work life that is).
Some detailed network sleuthing is required to know how much of your network is under PCI scope and will need to be protected per PCI requirements. You have heard the phrase “follow the money,” well, with PCI it is literally about following the money. It can start with following the credit card transaction from how the data is captured, finding all of the channels used to transmit card data, looking at what happens to the data on your network, to determine the moment it goes (hopefully securely) out of your network.
You might be shocked (or not) to discover how many places credit card information is stored or is in danger without your knowledge. There are so many places credit card data can hide: computer logs, databases, spreadsheets, word documents, emails, temp memory, etc.
Where the credit card data is hiding in your network is not your only concern (and PCI’s concern), access control to it is another area that can be missed. How many unchecked openings with access to the credit card environment from devices/people do you have from old ACLs? How much unchecked inbound and outbound internet traffic does your firewall allow? Do you have poorly managed access controls which could leave you and the credit card data vulnerable?
What can you do? The best advice would be, start with one stream of credit card data at a time. Start with the device or system where the credit card data is captured and document everything you find: type of device, model number, software version and employees who have access to it. Don’t forget to list the ports and protocols it uses to communicate, access rights levels of each individual who uses the device, etc. Continue this process and move up the chain to other network/systems devices, document each flow and repeat until you arrive at your border router/firewall. REMEMBER: No device is too insignificant if it is connected to your credit card subnet.
You will become (if you are not already) really good at the documentation (yay?).
PCI looks at People, Processes, and Technology and after your exposure to the PCI standards, so will you. Having a documented process for patch management, server management, help desk, etc. will help guarantee continuity and standardization. A large part of PCI (and perhaps the most important to IT) relies on having defined steps and ownership for tasks that help protect cardholder data. Who, how and when (how often) patching is done, logs are managed, access to sensitive devices is controlled, change control process for firewall rules, etc. and truly it is best practice.
I would love to say this scratches the surface around IT and PCI but I cannot. This would qualify as opening the curtain before we start scratching the surface on PCI. If you want to learn more, the PCI Security Council website is a good source of information. Also, your local, friendly QSA is a great resource for questions about how PCI can be easily managed within your specific environment. Finally, if your organization is questioning the security of your PCI environment, our certified professionals can help your organization define your PCI environment, determine compliance gaps, and help provide solutions.