The Retailer's Guide to Becoming and Remaining PCI Compliant

No retail organization wants to be a target, but the reality within the modern threat landscape is that each and every retailer that deals with credit cards is guaranteed to become the target of cyber threats. Being PCI compliant is the first step in ensuring that a standard security framework is applied throughout all the systems that store, transmit or process critical data.

Retailers need a way to ensure that they're protecting their systems adequately while maintaining control over their risk around both compliance and security. There are many steps retail organizations can take to ensure both continuous security and compliance in their fight against modern cyber threats.

Visibility and Distinguishability
In order to control the cost and administrative load of the compliance process, there's much value derived by spending time to adequately scope or segment the parts of the infrastructure that have PCI relevance. This exercise helps to prioritize the approach to compliance as well as identify the critical systems and data that require focus. Assets can be prioritized by data criticality through segmentation, helping administrators avoid the increased complexity of the compliance metrics for which the in-scope data is held.

The most recent version of PCI calls for focus on the business process or "Business as Usual," (BAU) which is really helping organizations focus on the business process that's involved in both processing data as well as continued business. Solutions that can provide full visibility and monitoring of enterprise assets and that focus on the business process or a trust policy are useful in helping organizations get a handle on their infrastructure in a less intrusive way. Once the business policy is established, companies can easily get a quick snapshot of the corporate assets that are affected by compliance and gain insight on the level of risk posed to both the compliance and security of the organization at any given time.

A positive security approach based on trust can also set an established baseline for inventory on the retail endpoints that are under control, putting the retailer in a proactive state. This will negate the need for frequent negative, performance-consuming, periodic scanning, which can often drive the endpoint to a halt. Companies must be agile in order to face emerging threats in today's retail landscape. By adopting a positive business process-monitoring stance, response time can be drastically reduced when things go awry.

Control and Governance
It's imperative to the PCI compliance and security reporting process that retail organizations maintain a thorough real-time inventory of all business endpoints, as well as remaining in control of those endpoints from a security perspective. By using a "positive" security solution that can map to the company's business process, a known good is established (i.e., essentially an inventory of known trusted applications that can run or execute on an individual endpoint).

By adapting a solution based on trust, no potential vulnerabilities can possibly be exploited since the root of the exploit is outside the known trusted source and will not execute. A controlled environment that focuses on the BAUs can also help solve a common problem that's affecting the compliance of many retailers: unsupported systems. Retail systems are often widely distributed and geographically diverse. This also tends to be accompanied by aging operating system software and applications that can't necessarily be updated overnight.

The proliferation of Windows XP point-of-sale systems is a good example of this type of issue. By hardening systems to the business rules for the retail endpoints, retail systems that are no longer supported can remain secure and compliant. A trust-based approach helps to ensure vulnerability violations are taken out of the regulatory mix, providing a valid option to the required patching process that would be needed under traditional approaches. Patches can be applied on any pre-defined schedule rather than under the schedule of the OS or the compliance regulations. The trust-based solution deployed across the endpoints will eliminate the risk of compliance vulnerabilities and provide intelligent real-time monitoring of the file system, based on a set of "known good."

Change vs. Modification
Any retail organization that's considered by PCI has a need to actively monitor in-scope and critical files for change. These days, the amount of changes that may have to be monitored can add significant administrative time to the process of identifying those key changes that are critical and significant to the security or compliance of the organization. A solution put in place that has the ability to stop or block unauthorized change to critical assets will greatly reduce the administrative work of sorting through all the expected and unexpected changes.

The key behind identifying critical change is that it can greatly narrow the scope of ensuring the security and compliance aspects of PCI. Controlled change enables organizations to collect and track all compelling in-scope affected assets and analyze critical change on the front end. Up-front filtering also helps provide relevant and required data for auditors and assessors who need to demonstrate security control effectiveness up to the retail board or audit committee. During assessment validation, and especially during a forensics investigation, change events that focus on the business process can save vast amounts of time and money when the data is ready and waiting without the need to mine it out of the repository and filter after the fact.

Enforcement and Execution
The last suggestion for retailers attempting to stay on top of security and PCI compliance would be to take a second look at their policies and procedures. Furthermore, retailers need to ensure that all the stakeholders that have a responsibility to uphold those policies and procedures understand their respective responsibilities. It's imperative that everyone within a retail enterprise knows his or her part in the company's overall risk management strategy.

Any compliance or security program is only as strong as the people running it. A mechanism needs to be put in place that guarantees the distribution and consumption of the security policy. Compliance managers and auditors will need to get a real-time status report on the acceptance of the policy and awareness training. A system that employs a trust policy focusing on the critical business processes of the retail business will be able to enforce the consumption of the security policy and then track compliance to the policy.

A policy-based solution would enable the configuration of multiple levels of control out to the endpoints as well as maintain the visibility to monitor the acceptance of the security and compliance awareness. This data will enable retailers to have the report capability to ensure their auditors have what they need to complete the validation process. This data will also be useful in gathering both acceptance and consumption of the compliance and security policy. This, in turn, leads to the ability of the retailer to get a true sense of risk to their enterprise at any given time.

At the end of the day, retailers that can harness the active intelligence that positive security provides and that can react quickly and efficiently to that one incident when it happens will be the ones who come out on top.

Chris Strand is a senior solutions consultant and compliance specialist for Bit9, a provider of endpoint and server security.