PCI Compliance – An Ongoing Process

Recently Computer World published what’s most likely the very best article dealing with PCI Compliance.  Not so much what it entails to be compliant, but what it takes to remain compliant.

The ultimate unanswerable question: Are we PCI-compliant?

PCI compliance is Zen-like. It’s hard to determine, and even when a letter declares a company PCI-compliant, that declaration can always be retroactively reversed later – such as if you’re breached. Yes, when you most need to be able to say that you are PCI-compliant is when it’s taken away.

 

The issue with PCI compliance is that the business network and the business environment is constantly changing and evolving.  There are 12 requirements in the PCI DSS.  In order to be compliant, all of these must be current all of the time.  Some remain static, meaning they don’t change.

Let’s take requirement No. 1: Install and maintain a firewall configuration to protect cardholder data. firewall-156010_640 Your PCI specialist installs and configures a firewall.  Once it has been configured properly, you’ve met the first requirement, right?  Well, sort of.  Assuming the firmware is current, and nothing changes in the network environment, the answer would be Yes, you’ve met the requirement.

Let’s go down to requirement No. 11:  Regularly test security systems and processes.  Inside this requirement is 11.1, which requires that a hardware inventory be kept up to date of all devices on the “protected” or POS network.  This is the network that handles all credit card transactions (your guest wi-fi, or any other network should NEVER be on the same sub-net as your POS traffic).  You just replaced or added a POS terminal.  Did you log it in the inventory, including the model and serial number?  If the answer is No, then you’re not compliant.

On that very same replacement terminal, you need to make sure that you have met requirements 5 and 6: Use and regularly update antivirus software; Develop and maintain secure systems and applications.  If you’ve added a location on the network for this terminal, the network diagram also needs to be updated.

Now let’s move on the the human factor in being compliant.  Each individual who handles credit cards must be trained in the methods of handling cards safely and securely, which is part of requirement 12:  Maintain a policy that addresses information security.  If you’ve hired a new employee, they must first be trained and sign-off acknowledging that they’ve been trained.  A copy of the signature page must go in their employee file.

The article in Computer World makes some outstanding points.  First,  you’re only compliant on the date that you last checked and updated (successfully) the requirements:

The reason why compliance is tied to the date the assessment was wrapped is that, in theory, any change at all to anything on the network could make that merchant noncompliant. I get that. It makes sense. But what good is PCI compliance if a retailer never knows if it is compliant? 

This is where PCMDX comes in.  We take it off your shoulders and put it on ours.  We let you worry about the prime purpose of your business, and we take care of the things that we’re good at:  Keeping you compliant.

Further more, as the article states, it’s the human factor that makes you (and keeps you) compliant:

But it (software) can’t track PCI compliance — which is a human-dictated state — any more than it can declare a system “secure.” 

PCMDX is the only company in our service area (Alabama, Mississippi, Western Tennessee, Florida Panhandle) that creates a plan for your company to become, and remain, PCI Compliant.  We will visit your site, examine your existing network, create a plan to make your network compliant, implement the plan, and then keep it maintained on a regular schedule.

Contact us today for a free, no-obligation consultation.  You’ll be glad you did.

 

 

 

Can you be a target for a phishing scam? Take the quiz and find out.

What’s the easiest way to get into a locked building?  Use the key.  What’s the easiest way to get the key?  Get it from the person who has it.

Your network is a building, metaphorically speaking.  Each device (computer, printer, network attached storage, etc.) is a room in the building and each device is protected by a user name and password, or at least should be. The user name and password are the credentials of the device, and are the “keys” to the room.  Usually, in order to make our life simple, once we insert our key (user name/password) into the building (network), we’re granted access to the rooms (devices) our gatekeeper/keymaster (network administrator) has decided we can go into.

Because we’ve become more security conscious over the past few years (we don’t use the password “password” or “123456” anymore…do we?!), the bad guys (hackers) have become more sophisticated.  They use various methods to get the keys.  Some use social engineering.  Others use brute force attacks.  And still others prey on the lack of computer knowledge of network users.

The last group uses “phishing” expeditions in order to get the keys.  This is a play on words on “fishing expedition”.  On a fishing expedition, we go out and see how many fish we can catch.  We target our area, throw out the line, which has bait on it, and see what happens.

A phishing expedition is no different.  The bad guys send out hundreds of thousands of e-mails that have malicious content, and see how many take the bait.  Once the targets take the bait, it’s pretty much over with.  Some of the malicious payload may be a virus or Trojan that captures your “keys”.  Others may be ransomware that encrypt your hard drive and demand money in order for you to get access to your files again.  Regardless of the payload, it’s all bad, which is why we call it “malware”, “mal” being the Latin word for “bad”.

Phishing expeditions are not limited to just gaining access to work networks.  They can also be used to gain access to bank accounts, credit card accounts, or any other password protected site.

So how do you protect yourself or your company?  At PCMDX we take a multi-level approach.  Securing the perimeter is very important.  We use a firewall to do so.  This prevents the bad guys from simply walking into your network through an unlocked door.

We also protect all of your devices by using anti-malware software, applying patches and updates on a regular basis, and making sure there’s no vulnerabilities on the network, such as devices that have out-of-date firmware, or computers with out-of-date operating systems, such as Windows XP or Windows Server 2013

We also believe in training and education.  The more your users know about how to protect themselves, the easier our job is, and the more secure your network becomes.

Keeping your network secure is not a one-time thing.  It requires regular maintenance, and regular training.  Every time the good guys find a way to block the bad guys from gaining access to the network, the bad guys come up with new ways to break in.

Here is a test that you can take yourself or give to your staff to find out how much you and they know about phishing expeditions.  If you score below a 100%, give us a call so that we can begin to secure your business or network.

Phishing Quiz

PCMDX is based in Hoover, Alabama and serves businesses that have 15 computers or less in Alabama, Mississippi, Western Tennessee and the Florida Panhandle.  If you’re a merchant that takes credit cards, you’re required to be PCI Compliant and PCMDX can take care of all of your PCI Compliance needs.  If you’re a medical practice, you need to be HIPAA compliant, and our engineers are HIPAA specialists.

Call us today for your free consultation at 205-201-0389 or via e-mail at pcmdxal@gmail.com .