Regularly Monitor and Test Networks
The fifth core of
Payment Card Industry Data Security Standard (
PCI DSS)
consists of two requirements:
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
Track and Monitor All Access to Network Resources and Cardholder Data
We have said it in the past few posts, but it bears saying again. Audit
trail history should be retained for at least one. These logs should provide the
company with a
- Unique User Identification
- Type of Event
- Date and Time
- Origination of Event
- Success or Failure Indication
- Identity / Name of Affected Data, System Components, Resources
These logs should be secure
and unable to be altered by anyone and have limited viewing. Times on all
systems should be synchronized. Logs should be reviewed daily for unknown
events. It sometimes takes days or weeks before a breach is reported by a
cardholder.
Regularly Test Security Systems and Processes
Systems
should be scanned to discover potential vulnerabilities. A vulnerability
scan is an automated tool run against external and internal access points and
servers on the network that will help identify ports and vulnerabilities that
could be exploited by hackers. If any vulnerabilities are detected, steps
should be taken to fix them immediately. Network intrusion detection
systems should also be in place.
Approved Scanning Vendor
Most merchants will be required to do have a
quarterly scan completed by an Approved Scanning Vendor (ASV).
Approved Scanning Vendors (ASV)
can complete the quarterly scan for your company. Only choose a vendor
that is listed
Approved Scanning Vendors
web page. Otherwise, you might compromise your data or the scan will not
be accepted by the council. The scan requirements are quite rigid - all
65,535 ports will be scanned. Any vulnerability that is rated between
three to five must be fixed. You will also get two reports:
- An executive summary report with a PCI approved compliance statement suitable for submission to acquiring banks for validation
- A technical report that details all vulnerabilities detected with solutions
Selecting a PCI Network Security Testing Service
While there are a number of
Approved Scanning Vendors
listed, there are three critical things to look for when choosing a company:
- Accuracy: False positives can increase the activities
and costs that are associated with these false positives (and even false
positives). You do not want the company to generate a large number of
false positives / false negatives that will increase the amount of time you have
to work through each issue.
- Efficient Vulnerability Remediation Process: The
company should offer technical support to fix each issue found.
- Automated Report Preparation and On-Line Filing: This
will reduce your work and time you spend on getting PCI compliance if the
company offers automatic preparation and electronically filing.
Qualified Security Assessor
Large merchants that are considered Level One (or merchants that have had a
data breach) are required to have
an on-site security audit performed by a
Qualified
Security Assessor (QSV). These vendors are authorized to perform the
annual audits. QSAs are companies that assist organizations in
reviewing the security of its payments transaction systems and have trained personnel and processes to
assess and validate compliance with PCI DSS.
Comments