Easy Steps on the path to PCI Compliance
Thursday, February 11, 2010
(Members Only Software, Inc.)When you imagine someone breaching your
security to steal credit card information, you
probably think of a room in a country far away,
filled with coffee-guzzling internet-surfing
twenty year old hackers with two days of beard
and more knowledge of computer networks than
you'll ever have.
Well, think
again. According to statistics available from
the PCI
Security Standards Council, over 50% of all
breaches implicate the victim's staff or
business partners. And 80% of all credit
card incursions are not technologically
sophisticated or difficult.
In a way
this is good news - it means a lot of risk can
be locked out by closing some fairly
straightforward doorways. But many of these are
the very doors I've seen system administrators
prop open for convenience. Lock these doors and
you've taken some easy - but important -
steps toward compliance with the card issuers'
standards. Even more importantly, you've
taken real steps toward protecting your
customers' interests.
I dropped into a
client's office one day to look at a problem
they were having with their point of sale
system. I was just back from a two-day seminar
on credit card security that the PCI gave, so I
was looking at things with sharpened eyes.
After a few pleasantries we had the following
brief conversation.
"Can I get on the network?"
-- "Sure - just use the admin
password - it's the same as its always
been"
"And I need to logon to the POS
system too"
-- "Well, you know the password
- we left it at the default."
"Can I get my
laptop on the domain?"
-- "Just jump on
the wireless - its on the LAN. By the way, one
of your staff tried to diagnose this remotely
yesterday - you guys can connect on Terminal
Server anytime, you know"
Yikes. In 120
seconds I'd uncovered four specific violations
of the PCI requirements. More
importantly, these are four real security
vulnerabilities. Vulnerabilities that make the
net easy prey for any insider up to no good.
And this despite the fact that the POS system
we were troubleshooting was specifically chosen
for its PA-DSS certification.
Just use the admin
password - it's the same as its always
been. Who knows how many people
know how to get onto this network at the admin
level by now? And if a bad apple who knows this
account does break in and do some mischief, how
will you ever know? The logs will just say the
admin logged in. PCI requires to
you force password changes on a regular basis,
and to give each user a unique account.
If you have five people who need admin access
to your network, that's cool. But give each of
them a separate admin-level
account.
Well, you know the password - we left it
at the default. If you do this, anyone
who knows the application or device -- like an
employee of the vendor -- can break in on the
first try. PCI requires that
you never leave a hardware or software password
at its factory preset. This includes routers,
payment applications, and any other component
of the network.
Just jump on the
wireless - its on the LAN. Wireless
security is notoriously easy to crack, and
applications to do just that are easily
available. But we're worrying about insiders
here, anyway. A wireless connection to your LAN
makes it all too easy for someone to connect a
device or a PC that you are not aware of, to
your net. PCI prohibits the
connection of wireless devices to a network
storing or transmitting cardholder data. Of
course you need wireless, but put it outside
your LAN. You need to know what is
connected to your system.
You guys can connect
on Terminal Server anytime, you
know. Its bad enough that you need
to worry about the possibility of insider
theft. Allowing your vendors unpoliced remote
access to your system leaves you vulnerable to
people you may never even have heard of. PCI requires you to keep these
channels CLOSED except by specific arrangement.
You lock your doors at night,
don't you?
Security need not be rocket
science: when you keep in mind that a truly
significant number of credit card compromises
are inside jobs, the importance of closing
these open doors is obvious.
(c) Michael Stein,
2010