The Ongoing Debate about the Gap between Compliance and Security

March 6, 2015  |  Patrick Bedwell

Companies required to comply with the Payment Card Industry Data Security Standard (PCI DSS) must meet a wide range of technical and operation requirements. The challenge organizations face regarding PCI compliance has shifted from achieving the minimum level required to satisfy PCI audit requirements to incorporating security best practices into everyday activities. Otherwise, the potential exists to achieve compliance yet still be fundamentally insecure because of the lack of adoption of best practices.

The 411 on PCI DSS 3.0

PCI DSS 3.0 contains over 300 separate security controls that roll up under 12 requirements and apply to all entities involved in payment card processing—including merchants, processors, financial institutions, and service providers Compliance with the updated 3.0 standard was voluntary in 2014, and became mandatory on Jan 1 2015. Penalties to acquiring banks (those banks or institutions that process payment information on behalf of merchants) for non-compliance can be as high as $100,000 per month; those banks will undoubtedly pass any fines down to merchants responsible for the fines.

Achieving Compliance "One Technology at a Time" is Lame

Most organizations seek to meet PCI requirements by incrementally improving security controls by deploying multiple stand-alone point products, often sequentially. Relying on separate technologies creates a costly, time-consuming deployment and integration burden. This point product approach is especially challenging for smaller organizations that have fewer resources to acquire, configure, and manage those separate technologies.

A Better Way: Process Automation via a Unified Security Management

An alternative to deploying multiple point products is deploying a unified approach to technology. This unified approach allows you to manage the deployment and configuration of a wide range of technologies from a single console as well as correlate the alerts and remediation guidance. It also bridges the gap between satisfying an audit and implementing truly functional security controls. Implementing the right controls and being prepared for a PCI audit every day is a result every organization can achieve with the right tools and right mindset.

PCI Compliance requires a substantial commitment to operationalize control activities. As organizations strive to add the technologies needed to comply with the regulations in PCI DSS 3.0, they need to internalize the concepts embedded in those regulations as well. In other words, incorporating those behaviors is essential to transition from a time-consuming, reactive approach to compliance to an automated approach that reduces both the cost and complexity of maintaining compliance.

Automating compliance-related behaviors makes sound business sense for a number of reasons, including:

  • Eliminates dependence upon any individual
  • Embeds monitoring systems into operations
  • Drives down the cost of maintaining compliance

Recently Jeff Weekes, a guest blogger, in his “PCI-DSS Compliance Checklist - A Recipe For Success” suggested several processes that organizations should investigate for the potential to automate to accelerate compliance:

  • Asset Discovery and Management
  • Logging and Security Event Monitoring
  • File Integrity Monitoring
  • Incident Response Tracking
  • Vulnerability Identification and Management
  • Default Password Checks

How a Unified Security Management Platform Works for You

Asset Discovery and Management

An essential component of achieving PCI compliance is knowing what devices are in-scope, and the patch level. You can automate the discovery and monitoring of the devices as well as the software deployed on them.

Logging and Security Event Monitoring

AlienVault USM platform aggregates, correlates, and analyzes your security event monitoring. Over 1800 correlation rules eliminates the need for manual correlation and analysis of events.

Incident Response Tracking

With USM, you can automatically identify and investigate security incidents with built-in threat intelligence, as well as manage the response.

File Integrity Monitoring

File Integrity Monitoring (FIM) tracks who has accessed sensitive data as well as what they did to that data. This provides a necessary audit trail, as well as allows you to validate that the changes were authorized, expected, and did not jeopardize the integrity and security of the data.

Default Password Checks

Built-in, automated vulnerability assessment identifies the use of weak and default passwords, as well as host IDS and FIM will alert on the use of default passwords.

Don’t Debate: Implement Appropriate Security Controls

My advice is to focus first on a very basic but often overlooked aspect of security – what’s on your network --to make incremental improvement via automation with existing tools. Too many times we read that a breach started with an unknown asset overlooked by the IT team, with a patchable vulnerability being targeted by a bad actor. Are you conducting regular asset discovery and vulnerability assessment scans with your existing tools to document compliance? Great. Why not automate that, to ensure it’s happening consistently. If that’s under control, then move on to more complex tasks. But if you have not automated these basic steps in reducing the risk of compromise, you’ve got some work to do.

Your overall goal should be to maintain a security posture with the right controls in place so that a PCI audit is just a checkpoint to assure that everything is working properly. In general, PCI has been a good thing for setting a “least common denominator”, but ultimately, your organization needs a unified security management approach to achieve the true objective.

Share this with others

Featured resources



2024 Futures Report

Get price Free trial