As external threats to sensitive data become more organized, data can be exposed anywhere, at any time. According to PCI, companies must show due diligence that they are taking appropriate steps to protect customer information.
Internal risks to companies are also growing. More internal resources have greater access to customer data these days, and ensuring that only authorized individuals with an appropriate business “need to know” can access and use customer data poses a significant challenge to many organizations. Businesses use customer data more than ever to support their various customer interaction points: Marketing, Sales, and operations. With this trend comes an increased risk of data breach. Clearly, companies that use customer data effectively, while meeting security and regulatory requirements, have a distinct advantage over competitors.
Many merchants have widely distributed networks across numerous store locations and over the web. The big challenge with these architectures is to identify which systems are in-scope for PCI, and then to determine the best way to capture and manage all the data that is generated across these systems, both comprehensively and cost-effectively. To meet PCI compliance, companies must effectively collect and monitor 100 percent of log data.
Network traffic management and remote site management are also huge challenges for merchants. With costly network bandwidth, merchants need solutions that provide bandwidth controls, batching and prioritization of critical event logs, as well as support for universal definitions of configurations that can be cloned and pushed across a multi-store environment.
How are companies using PCI to improve security?
Historically, companies have not collected or analyzed event sources from systems such as applications, POS devices, databases, and legacy applications. However, PCI is driving companies to collect, analyze and manage events across these additional systems to ensure that the entire card data path is secured.
Collecting all logs, all the time
PCI affects every single IT device or system that stores, processes or transmits cardholder data. 100-percent data capture is required to protect a company's information assets. The sheer scope of this can quickly become overwhelming, as this includes all the IT devices and security systems across the IT environment.
Many of these in-scope systems are not located at the initial point of transaction. These systems are throughout the entire network, and include both online and offline systems at the retail location, as well as the back-end systems that support supply chain and partner operations, banking and financial operations, call center support and warehouse operations. These new log collection requirements are forcing companies to implement solutions that quickly and seamlessly collect and analyze these types of events across their entire IT infrastructure.
Monitoring user activity
Whether it is through user error or malicious behavior, employees, business partners, contractors and consultants pose a significant threat to cardholder data security. Tracking and monitoring typical user behavior across all PCI systems and applications, and contrasting that with anomalous behavior as it occurs, is required to protect against a breach and to ensure that authorized users are acting in an authorized way.
Many companies find that it's not enough to simply manage users at the point of entry into a network; they have to track and monitor user activity throughout the entire network to ensure that the good guys continue to do good things. This also means tracking and monitoring every identity and role that an individual has, as individuals often have multiple user names and IDs across the various systems and applications that are in-scope for PCI.
Prioritizing the risks
Companies have long struggled with how to properly identify and quantify overall risk. There was generally little tie-in from IT back to a business process, and even risks across IT and the business were often misunderstood, not integrated, or worse, mis-aligned. To determine which batch of events and user actions represent a true threat to cardholder data and PCI compliance, companies must analyze all event information across the multitude of event sources and user behaviors, and then prioritize the actual risk to the affected business process.
Leading companies use PCI as the driving force to integrate their IT and business compliance functions, which helps them to better quantify the impact of an IT risk or compliance violation against the overall business. The compliance goal for IT historically has been to fix each violation or incident as it occurs. However, many organizations now have more strategic alignments between IT and the business. IT can now focus on addressing and remediating only those risks that will significantly impact the business. This integrated approach helps the entire business to more effectively manage risk and to allocate resources and investment into areas that have the greatest impact.
A best practice approach to security and compliance
One of the joys of PCI is that compliance is defined within the actual standard. While other, more famous standards and regulations such as Sarbanes-Oxley and ISO 17799 tend to focus on what companies should do for security and compliance, PCI provides specific detail on how organizations should actually comply with the requirements. Many of the same controls required for PCI compliance are reusable across the breadth of corporate compliance initiatives. Leading companies are using PCI as a guide to put in place needed infrastructure, policies, and processes that meet all regulatory and compliance requirements.
The advantage? Organizations that implement a best practices methodology show proper due diligence and fiduciary responsibility across their regulatory environment, and not just for PCI. For log collection, aggregation, monitoring and reporting processes for all of their regulatory requirements, this best practices approach allows organizations to establish a set of common processes, policies and controls that are widely accepted within the audit community.
Businesses face many challenges in today's dynamic regulatory environment. From determining what systems are in scope to managing an entire suite of regulations, companies find that by taking a new approach to these challenges, they realize a stronger, proactive position around their entire security management and compliance methodology. Companies use PCI as the biggest driver for implementing a stronger set of processes and controls that help them better protect cardholder data and sensitive customer information. PCI also helps companies dramatically improve their security and compliance posture across their entire organization. And isn't security, after all, the main purpose of any regulation?
- Dave Anderson, senior manager, product marketing, ArcSight