Easy Steps on the path to PCI Compliance

(Members Only Software, Inc.)

When you imagine someone breaching your security to steal credit card information, you probably think of a room in a country far away, filled with coffee-guzzling internet-surfing twenty year old hackers with two days of beard and more knowledge of computer networks than you'll ever have.

Well, think again. According to statistics available from the PCI Security Standards Council, over 50% of all breaches implicate the victim's staff or business partners. And 80% of  all credit card incursions are not technologically sophisticated or difficult.

In a way this is good news - it means a lot of risk can be locked out by closing some fairly straightforward doorways. But many of these are the very doors I've seen system administrators prop open for convenience. Lock these doors and you've taken some easy  - but important - steps toward compliance with the card issuers' standards. Even more importantly, you've taken real steps toward protecting your customers' interests.

I dropped into a client's office one day to look at a problem they were having with their point of sale system. I was just back from a two-day seminar on credit card security that the PCI gave, so I was looking at things with sharpened eyes. After a few pleasantries we had the following brief conversation.

"Can I get on the network?"
 -- "Sure - just use the admin password - it's the same as its always been"

"And I need to logon to the POS system too"
 -- "Well, you know the password - we left it at the default."

"Can I get my laptop on the domain?"
-- "Just jump on the wireless - its on the LAN. By the way, one of your staff tried to diagnose this remotely yesterday - you guys can connect on Terminal Server anytime, you know"

Yikes. In 120 seconds I'd uncovered four specific violations of the PCI requirements.  More importantly, these are four real security vulnerabilities. Vulnerabilities that make the net easy prey for any insider up to no good. And this despite the fact that the POS system we were troubleshooting was specifically chosen for its PA-DSS certification.

Just use the admin password - it's the same as its always been.  Who knows how many people know how to get onto this network at the admin level by now? And if a bad apple who knows this account does break in and do some mischief, how will you ever know? The logs will just say the admin logged in. PCI requires to you force password changes on a regular basis, and to give each user a unique account. If you have five people who need admin access to your network, that's cool. But give each of them a separate admin-level account.

Well, you know the password - we left it at the default. If you do this, anyone who knows the application or device -- like an employee of the vendor -- can break in on the first try.  PCI requires that you never leave a hardware or software password at its factory preset. This includes routers, payment applications, and any other component of the network.

Just jump on the wireless - its on the LAN. Wireless security is notoriously easy to crack, and applications to do just that are easily available. But we're worrying about insiders here, anyway. A wireless connection to your LAN makes it all too easy for someone to connect a device or a PC that you are not aware of, to your net. PCI prohibits the connection of wireless devices to a network storing or transmitting cardholder data. Of course you need wireless, but put it outside your LAN. You need to know what is connected to your system.

You guys can connect on Terminal Server anytime, you know.  Its bad enough that you need to worry about the possibility of insider theft. Allowing your vendors unpoliced remote access to your system leaves you vulnerable to people you may never even have heard of. PCI requires you to keep these channels CLOSED except by specific arrangement. You lock your doors at night, don't you?

Security need not be rocket science: when you keep in mind that a truly significant number of credit card compromises are inside jobs, the importance of closing these open doors is obvious.

 (c) Michael Stein, 2010