Today’s Payment Card Industry Data Security Standard (PCI DSS), prevails as one of the most preeminent achievements in the information security industry. However, many organizations are struggling with the increased complexity associated with the PCI Data Security Standard. We will see the top 5 challenges that organizations face in their PCI journey.
1. Protecting Stored Payment Card Data
The most common challenge that many organizations face in achieving PCI compliance is requirement 3 of PCI DSS (encryption of stored payment card data) primarily because of the complex technical and often intrusive nature of available solutions. The data encryption requirement of the PCI DSS is designed to ensure that even if other data protection mechanisms are breached, the encrypted payment card data will remain inaccessible. Unfortunately, mainframes and other legacy systems were not designed to natively support encryption solutions. Data reduction and process reengineering are approaches used by many organizations to reduce the amount and type of payment card data that needs to be encrypted.
1. Protecting Stored Payment Card Data
The most common challenge that many organizations face in achieving PCI compliance is requirement 3 of PCI DSS (encryption of stored payment card data) primarily because of the complex technical and often intrusive nature of available solutions. The data encryption requirement of the PCI DSS is designed to ensure that even if other data protection mechanisms are breached, the encrypted payment card data will remain inaccessible. Unfortunately, mainframes and other legacy systems were not designed to natively support encryption solutions. Data reduction and process reengineering are approaches used by many organizations to reduce the amount and type of payment card data that needs to be encrypted.
Image via pinewswire2. Defining Cardholder Environment
Image via tevoraOrganizations attempt to assess their current state of cardholder environment without a clear understanding of the in-scope environment. This includes understanding all payment processes including how cardholder card data enters the environment, where the data is processed and stored within the organization’s environment, how the data leaves the environment, and with whom the data is shared. It is very important to trace the route where the cardholder data goes through, and map all access points to the environment holding the card data. Even if cardholder data is not stored, the data can be compromised by accessing the channels through which it flows through. Lack of a clear understanding often results in an incomplete compliance assessment and residual risk.
3. Logging & Monitoring Events
Logging and monitoring of security related events on systems that store, process, transmit, or provide access to cardholder data is required to aid in detection and prevention of suspicious activity and analysis of activities in the event of a breach. Many systems and applications in a legacy environment do not natively support logging controls mandated by the PCI DSS. Moreover, many of these systems and applications were not designed to handle the additional overhead on system resources in an environment where rapid transactional response time is essential. Organizations deploy a variety of monitoring and logging solutions ranging from stand-alone manual procedures to fully automated and centralized solutions. Once the solution is deployed, it generates massive amounts of log data which poses a new challenge in monitoring those logs effectively.
4. Controlling Access to Cardholder Environment
Restricting unauthorized access to cardholder data (and systems) is a fundamental principle of PCI compliance, and it continues to be a challenge for many companies. A variety of factors add to the challenge, such as data proliferation across disparate systems, using the production data in non-production environment, absence of a clear understanding of where data resides in the enterprise, the inability of legacy or home-grown systems to support certain PCI-mandated controls, and the absence of a role-based access control model. Remediation approaches range from tactical point solutions to managing access at the individual payment system level to complex enterprise identity management solutions.
5. Lacking A Holistic Approach to Compliance
Image via howlifereallyworksMost organizations take a siloed approach to addressing applicable regulatory, risk management, and compliance requirements. In many organizations, compliance programs focusing on regulations such as PCI, Sarbanes-Oxley (SOX), and the Gramm-Leach-Bliley Act (GLBA) are not effectively integrated, even though many of their requirements overlap. Such a siloed approach impairs efficiency and effectiveness, contributing to duplication of effort, inconsistent processes, and ultimately compliance fatigue.
No comments:
Post a Comment