PCI

As part of a dynamic IT team you might not have heard of PCI (yet); however, if your company is setup to take credit cards payments for services and products PCI can potentially affect you and your IT area.  Here are the top 3 things for your IT department to know about PCI:

  1. PCI standards, credit cards, and your network

PCI DSS is an information security standard created by the biggest players in the credit card field: Visa, MasterCard, American Express, Discover, and JCB. This standard was developed to encourage and enhance cardholder data security and provide a baseline of technical and operational requirements designed to protect cardholder data (PCI SSC Reference Documents). The key words to focus on and the ones that will affect your IT Department are encourage, enhance and baseline of technical and operational requirements.  Why? Read on.

 

  1. There is no escape, your network, or part of your network, will be in-scope and your life will change (work life that is).

Some detailed network sleuthing is required to know how much of your network is under PCI scope and will need to be protected per PCI requirements. You have heard the phrase “follow the money,” well, with PCI it is literally about following the money.  It can start with following the credit card transaction from how the data is captured, finding all of the channels used to transmit card data, looking at what happens to the data on your network, to determine the moment it goes (hopefully securely) out of your network.

 

Let’s look at a very simple (but common) network setup and the assumed credit card data flow.PCI data flow

 

Now let’s take a look at how it truly flows and where some your headaches will be:PCI data flow actual

 

You might be shocked (or not) to discover how many places credit card information is stored or is in danger without your knowledge.  There are so many places credit card data can hide: computer logs, databases, spreadsheets, word documents, emails, temp memory, etc.

Where the credit card data is hiding in your network is not your only concern (and PCI’s concern), access control to it is another area that can be missed.  How many unchecked openings with access to the credit card environment from devices/people do you have from old ACLs? How much unchecked inbound and outbound internet traffic does your firewall allow?  Do you have poorly managed access controls which could leave you and the credit card data vulnerable?

What can you do?  The best advice would be, start with one stream of credit card data at a time.  Start with the device or system where the credit card data is captured and document everything you find:  type of device, model number, software version and employees who have access to it.  Don’t forget to list the ports and protocols it uses to communicate, access rights levels of each individual who uses the device, etc.  Continue this process and move up the chain to other network/systems devices, document each flow and repeat until you arrive at your border router/firewall.  REMEMBER:  No device is too insignificant if it is connected to your credit card subnet.

 

 

  1. You will become (if you are not already) really good at the documentation (yay?).

PCI looks at People, Processes, and Technology and after your exposure to the PCI standards, so will you.  Having a documented process for patch management, server management, help desk, etc. will help guarantee continuity and standardization. A large part of PCI (and perhaps the most important to IT) relies on having defined steps and ownership for tasks that help protect cardholder data. Who, how and when (how often) patching is done, logs are managed, access to sensitive devices is controlled, change control process for firewall rules, etc. and truly it is best practice.

I would love to say this scratches the surface around IT and PCI but I cannot. This would qualify as opening the curtain before we start scratching the surface on PCI. If you want to learn more, the PCI Security Council website is a good source of information.  Also, your local, friendly QSA is a great resource for questions about how PCI can be easily managed within your specific environment. Finally, if your organization is questioning the security of your PCI environment, our certified professionals can help your organization define your PCI environment, determine compliance gaps, and help provide solutions.


Phil Godinez on Linkedin
Phil Godinez
Information Security Analyst at FRSecure LLC
Phil Godinez is part our information security team whose passion is helping companies achieve a better security posture. As certified PCI-DSS QSA, Phil's area of expertise is assisting companies in understanding and navigating through the complex set of requirements established by the PCI DSS Council to protect credit card data. Phil is active in his community as a board member for his cities Race and Equity Community Task Force. He also enjoys many types of physical activities like boxing, running, and he recently started training for Mui Thai boxing.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *