PCI DSS: Centuries in the Making?

The modern day Payment Card Industry Data Security Standard (PCI DSS) v3.1, applies a robust layered approach for the security of cardholder data, applying the concept of defence in depth (DiD). This concept is nothing new and can be seen to have been applied by the Roman Empire in the 4th century AD¹ and developed over 700 years, during the enhancements of the city of Troy² , between 1700 BC and 1190 BC.

DiD was successfully developed as the result of numerous ‘lessons identified’, following numerous conflicts and incidents over many years.

However, given this strong legacy and long history of successful application of the DiD methodology, why is it that successful business leaders are still struggling to recognise the importance of creating a robust PCI DSS citadel, for the safety and security of their customers’ cardholder data operations?

The major difference between the Romans and the Trojans and now is that the types of assets have changed.

Historically, the assets were visible, tangible assets (Helen of Troy, precious jewellery, etc.) that were clearly identifiable and easier to see. Today, technological advancements have changed the assets into a mix of tangible assets (physical credit cards, receipts, chargeback letters, etc.) and virtual, intangible assets (eCommerce, Mail Order/Telephone Order computer processed, etc.) that are more difficult to identify and locate where they might reside (databases, spreadsheets, flat files, etc.).

Added to this is the fact that most acquiring banks grant approval for merchants to process cardholder data before they have created their secure citadel, in support of their card payment operations, or they are not made aware of the associated costs and complexities of building and maintaining secure card payment processes.

How can the lessons of the Romans and Trojans be applied to modern day business card payment operations?

Likened to history, today there is a clear and present threat from hostiles attempting to penetrate your defences, in order to gain from stealing customers’ cardholder data. These attackers can range from the opportunist, amateur hacker, who is driven by 3 incentives:

• Inquisitiveness
• Challenge
• Reward (mostly not financial reward, but more personal reward—like winning a game of strategy)

Or:

The attacker could be a determined, organised criminal gang, who is informed of the value of the assets within an organisation. The criminal fraternity have changed their modus operandi to reflect the gains of the modern day. No longer do they need to go through the complexities of planning to rob a bank, much like they might have done in the 1950s or 1960s, when they can gain the same benefit from dropping in a simple piece of malware (such as a RAM scraper) into a large retail business.

These examples present the ‘kinetic’ (external) threat vectors. However, the successful application and management of PCI DSS also helps protect against the non-kinetic (insider) threat—that authorised insider who carries out an activity (either maliciously or accidentally) that causes a breach.

Would your staff help to wheel a Trojan Horse through your suite of defensive countermeasures?

What steps are required?

The city of Troy took 700 years to construct; PCI DSS is only 12 years old and still in development. However, there are a great deal of lessons we can take from history, as shown in figure 1 and listed here:

Figure 1: Nettitude PIE FARM methodology

• Plan & Prepare³
  Set up a team, within the business, to design architectural and project plans, presented within a business case, which clearly articulates what the predicted set-up and maintenance costs might be, along with defined milestones.
• Identify & Isolate
  • What are the methods of taking card payments (payment channels)?
  • What are your businesses card data flows?
  • What assets (technologies, people, processes, locations, etc.) support the card payment operations?
  • Are there any inter-connecting assets?
  • Is it possible to reduce the scope, through the creation of a Secure Bunker/Citadel (RED Channel) where the card payment systems reside, that is isolated from the non-card payment systems?
  • Which of the PCI DSS controls apply to the business?
• Evaluate
  Having established the baseline, carry out a gap analysis to provide the rapid identification of areas requiring improvement.
• Fix
  Work through a suite of remediation activities.
• Assess
  Carry out an investigation into the maturity and effectiveness of the application of the baseline controls.
• Report
  Complete a Self-Assessment Questionnaire (SAQ), against each of your payment channels (low-volume merchants) or have an independent onsite assessment, by a Qualified Security Assessor (QSA), to validate that your card payment operations are safe and secure.
• Maintain
  Do not become complacent, once having completed the process to ‘get across the line’ and achieve the compliance status. PCI DSS requires a number of mandated, scheduled activities:
  • 6-month firewall reviews
  • Quarterly card data discovery
  • Annual web application testing
  • Vulnerability and patch management
  • Daily audit trails reviews
  • Weekly change detection reviews
  • Quarterly wireless checks
  • Quarterly internal and external
  • Annual penetration testing (or after any significant change)

In complex environments, how can you hope to effectively govern your PCI DSS footprint, ensuring that assigned responsibilities are being carried out effectively and in a timely manner?

• Scheduling?
• On The Job (OJT)?
• Security Awareness?
• Well-written and -communicated, effective policies and procedures?
• Effective security incident response?
• Employment of a governance, risk and compliance tool? (shown in figure 2)⁴

Figure 2: Acuity STREAM GRC Platform

View Large Graphic

The associated PCI DSS worlds are ever-changing, dynamic environments, with the attackers become ever more creative. Therefore, as attackers create new and innovative approaches, we need to ensure that our defensive responses are just as innovative and responsive.

The benefit of this approach is that it will help to reduce the chance of suffering a breach, whilst reducing the cost and improve the overall security culture within an organisation.

“Cyber Security is everyone’s responsibility”
Federal Bureau of Investigations⁵

¹ Royal Military Academy, ‘Defence in Depth’, www.honga.net/totalwar/attila/technology.php?l=en&v=attila&f=att_fact_western_roman_empire&t=att_roman_military_defence_in_depth
² Sharlun, Glen, ‘Defense in Depth: The lessons from Troy and the Maginot line applied’, SANS Institute, 2000-2005,www.giac.org/paper/gsec/282/defense-in-depth-lessons-troy-maginot-line-applied/100331
³ Nettitude, ‘What Is PIE FARM?’, www.nettitude.co.uk/pie-farm-methodology
⁴ Acuity Risk Management, www.acuityrm.com
⁵ The Federal Bureau of Investigations (FBI), ‘Cyber Security Is Everyone’s Responsibility’, October 2012,www.fbi.gov/washingtondc/news-and-outreach/stories/cyber-security-is-everyones-responsibility

Jim Seaman, Security Consultants Team Lead for Nettitude Group

[ISACA Now Blog]