PCI DSS Compliance requirements differ for every business based on whether you store, process or transmit payment cardholder data. Disregard for this basic difference has led to grave errors in reviewing the payment processing environment, so much so that our consulting sessions are never complete without an emphasis on why merchants and payment application developers need different security controls in place for effective compliance.
Role of network security monitoring in gap assessment and remediation
Many payment gateway application vendors and service providers believe that all it takes for them to assess compliance is a one-time external vulnerability scanning by an ASV. Sure, that’s a quick way to get certified but one must be aware of being lulled into the false sense of security it gives. (There’s a reason they are called PCI DSS ‘requirements’ and not ‘recommendations’).
Traditional compliance gap assessment is usually based on interviewing company personnel to gather information that would help. The problem with this is limited knowledge of the “who, what, where and when” of entities accessing your payment storage/processing resources.
Requirement 10 of PCI DSS mandates the necessity of tracking and logging of security data even for the smallest service provider or merchant.
If your organization needs a solid wall of defense, a smart move would be to make the most of the benefits that network security monitoring has to offer
- In the early stage of business requirements mapping, network traffic analysis helps in identifying PCI data touch points on the corporate network for accurate assessment of the risk ratio between your business and your payment gateway vendor. This will help in weighing costs and benefits as well as in evaluating the need for short-term control implementation versus long-term solutions.
- The fundamental goal of employing a Netflow analysis in PCI compliance is network/asset inventory and basic transaction workflow audits, apart from uses for forensics. But incident response experts would offer a higher perspective of the role it plays in addressing gaps in the logs of say, application web filters, firewalls and other signature-based anomaly detection systems. It essentially means keeping a real-time tab on network traffic to and from the payment card application and being covered from every angle.
- Continuous flow-based network monitoring also checks for open ports and services across virtualized card data storage or transmitting environments to ensure that each virtual component is confined to a single role and is given access to only those ports and services required for its role. Such ‘rule reviews’ are useful in verifying that PCI data is not stored on internet-accessible web servers.
- PCI DSS specifically requires that access to all network resources that handle cardholder data in transit is monitored. Automating discovery of assets and host-based detection will keep you notified of unauthorized remote login attempts as well as other valid and invalid authentication attempts on your critical systems.
- Lastly, adopt a policy that facilitates linking of all activities to individual users. Continuous network monitoring would be pointless without granular behavioral monitoring and privilege escalation detection. Integrate all login data from authentication sources and VPNs and have users with administrative access verified.
From an audit perspective, logging and netflows are signs of a thriving security management plan.
Give us a call if you are looking for compliance management that is simplistic and self-sustaining.
It pays to be sure whether a solution will work for you. Visit alephtavtech.com to know more.