Author Box
Articles Categories
All Categories
Articles Resources

PCI DSS, File Integrity Monitoring and Logging - Why Not Just Ignore It Like Everyone Else Does?

February 22, 2012 | Comments: 0 | Views: 129

The Safety Belt Paradox

The Payment Card Industry Data Security Standard (PCI-DSS) has now been around for over 6 years, but every day we speak to organizations that have yet to implement any PCI measures. So what's the real deal with PCI compliance and why should any company spend money on it while others are avoiding it?

Often the pushback is from Board Level, asking for clear-cut justification for PCI investment. Other times it comes from within the IT Department, seeking to avoid the disruption PCI measures will incur.

Regardless of where resistance comes from, the consensus is that adopting the standard is a sensible thing to do from a security perspective. But like so many things in life, the common sense view is outweighed by the perceived pain of achieving it -this thinking is often referred to as 'The Safety Belt Paradox', more of which later.

This coupled with the anecdotal feedback that whilst the Acquiring Banks (payment card transaction processors) promote the need for PCI measures, they seldom have the focus and continual drive to monitor the status of compliance, making it all too easy for Merchants (anyone taking card payments) to carry on just as they are.

Prioritizing PCI Measures

With 12 headline Requirements covering 230 sub-requirements and around 650 detail points, encompassing technology, procedure and process, there is no denying that the PCI-DSS is complex and is likely to cause disruption. But the benefits ultimately outweigh the pitfalls, particularly when there are shortcuts to compliance, which follow the 'How do you eat a whale?' philosophy (one piece at a time, in case you were wondering).

This 'prioritized approach', advocated by the PCI Security Council, focuses attention on the most important 'biggest bang for buck' measures first, with the others broken into five levels of priority.

We would also always advise that in order to control costs and minimize disruption, that you understand the context and impact of each aspect to see which other Requirements can be taken care of by implementing the same measure - for instance, file integrity monitoring is specifically mentioned in Requirement 11.5, but actually applies to numerous other Requirements throughout the standard. For example, Device Hardening measures specified in Requirement 2 all come back to file integrity monitoring because configuration files and settings need to be assessed for compliance with best practices, and once a device has been hardened, it is vital that monitoring is in place to ensure there is no 'drift' away from the secure configuration policy adopted.

Similarly log management and the need to securely backup event logs from all in scope devices may only be detailed in Requirement 10, however, using event log data to track where changes have been made to devices and user accounts is a great way of auditing the effectiveness of your change management processes. Tracking user activity via syslog and event log data is generally seen as a means of providing the forensic audit trail for analysis after a breach has occurred, but used correctly, it can also act as a great deterrent to would-ne inside man hackers if they know they are being watched.

As evidence of the value of this approach, implementing firewall and anti-virus measures properly, with checks and balances provided via automated event log processing and file-integrity monitoring gets you around 30-35% compliant before you do anything else.

The Future of PCI-DSS

The PCI Security Standards Council insists that PCI is more about security than compliance. And it really does work - implemented correctly, the PCI-DSS will keep card holder data protected under any circumstances.

In the future, neglecting PCI Compliance measures could mean you are gambling with even higher stakes. With PCI being such a comprehensive framework, big-thinkers are arguing that PCI compliance should be leveraged to provide security for ALL company information as a whole and protect against the mainstream issue of Identity Theft. Losing card holder data is one thing, but risking your customers' personal information is potentially far more damaging and your customers won't thank you if you have been irresponsible.

This is certainly the case in Europe where, at the recent PCI Security Standards Council Meeting in London, the UK Government's Information Commissioners Office recommended that organizations should look to implement PCI for general Data Protection. This is echoed across Europe where ISO 27001 is taken much more seriously, especially in Germany where their snappily entitled 'Bundesdatenschutzgeset' (or BDSG - Federal Data Protection Act) has real teeth.

If a German organization loses the Personal Information of its customers then it is required by law to 'confess' by placing at least two, full-page advertisements in the National press informing the public of the potential Identity Theft they have been exposed to. Even if you don't believe in the power of advertising, you wouldn't want to test what this kind of publicity does for your brand and your sales.

The closest parallel in the US is the Nevada 'Security of Personal Information' law, and Nevada Senate Bill 227 specifically states a requirement to comply with the PCI DSS, or how about The Washington House Bill 1149 (Effective Jul 01, 2010) which "recognizes that data breaches of credit and debit card information contribute to identity theft and fraud and can be costly to consumers".

Which brings us back to the 'Safety Belt Paradox'. 50 years ago, the State of Wisconsin introduced legislation requiring seat belts to be fitted to cars. But very few people used them, because they were uncomfortable and slowed you down when starting a journey, even though most would admit they were a good idea.

So it was only in 1984 when the first US state (New York) made the wearing of a seatbelt compulsory that the real benefits were realized. Only then did common-sense become standard practice. Maybe Personal information Protection needs the same treatment?

NNT is a leading provider of PCI DSS and general Security and Compliance solutions. As both a File Integrity Monitoring Software Manufacturer and Security Services Provider, we are firmly focused on helping organisations protect their sensitive data against security threats and network breaches in the most efficient and cost effective manner. NNT solutions are straightforward to use and offer exceptional value for money, making it easy and affordable for organisations of any size to achieve and retain compliance at all times. Each product has the guidelines of the PCI DSS at its core, which can then be tailored to suit any internal best practice or external compliance initiative.

Source: EzineArticles
Was this Helpful ?

Rate this Article

Article Tags:

File Integrity Monitoring


File Integrity


Integrity Monitoring


Pci Security


Pci Dss

Windows 8 will change the way you work and play, says Microsoft and we agree. Nearly all of the previous iterations of the Windows OS have been evolutionary but Windows 8 is set to change all that.

By: Sakshi Sharma l Computers & Technology > Mobile Computing l April 03, 2013 lViews: 662

Many antivirus programs available today have various features but it entirely depends on the user to make the best choice from among these different computer virus protection programs online. Before

By: Alex l Computers & Technology > Software l December 28, 2012 lViews: 370

You can add a new color to your entertainment life with iskysoft video converter for mac & iskysoft dvd creator for mac and make your Christmas holidays all the more special. iskysoft video

By: Zaithyn Galter l Computers & Technology > Software l December 23, 2012 lViews: 1070

The choices you make regarding the type of recruiting software you choose to use are important. Being an informed consumer is essential to getting a system or components that complement systems of

By: Maria Warne l Computers & Technology > Software l December 14, 2012 lViews: 306

The Cisco certification has become the most popular IT training in recent days and it offers three different levels of these certifications include as: associate, professional and expert-level.

By: sandidas chakma l Computers & Technology > Certification Tests l December 11, 2012 lViews: 237

Millions of prospective 12th standard students are gearing up their preparations for the Joint Entrance Exam for engineering seats. From 2013, it has been decided by the IITs, CBSE, JEE organizing

By: Sarkariexam l Computers & Technology > Certification Tests l December 07, 2012 lViews: 633

Users of the game Diablo III have had many of their online valuables wrongfully stolen from them. Some of the valuables consist of online currency and precious hard to obtain gear.

By: David Kyl Computers & Technology > Computer Forensicsl June 21, 2012 lViews: 156

SCADA typically refers to computer based industrial control system which basically aids to monitor and control facility based industrial processes and infrastructure. Here industrial processes

By: Ananta Modakl Computers & Technology > Computer Forensicsl June 20, 2012 lViews: 183

The reason why the PCI DSS is often seen as overly prescriptive and over-bearing in its demands for so much security process is that card data theft still happens on a daily basis. What's more

By: Mark Kedgleyl Computers & Technology > Computer Forensicsl June 20, 2012 lViews: 150

An important part of an private investigation can be preliminarily accomplished with nothing more than a telephone, reliable laptop and an Internet connection. Conducting thorough and successful

By: Joseph C Gioconda, Esql Computers & Technology > Computer Forensicsl June 14, 2012 lViews: 253

Since the birth of computers and computer crimes, a relatively new field called computer forensics has served to expertly retrieve data or evidence from these devices. There are various computer

By: Samora Jinqual Computers & Technology > Computer Forensicsl June 13, 2012 lViews: 157

The best SEO companies provide e-marketing services. These firms train online businesses specifically small-scale proprietors to sell their merchandise in a highly cost effective way to intended

By: Roy Allensl Computers & Technology > Computer Forensicsl June 12, 2012 lViews: 153

The reason why the PCI DSS is often seen as overly prescriptive and over-bearing in its demands for so much security process is that card data theft still happens on a daily basis. What's more

By: Mark Kedgleyl Computers & Technology > Computer Forensicsl June 20, 2012 lViews: 150

There is an art and a skill to building an effective security framework which requires a process, methodology and a set of tools that is right for your environment. The 'art' of good security and

By: Mark Kedgleyl Computers & Technology > Computer Forensicsl March 15, 2012 lViews: 127