Security's Everyman

Security's Everyman

Wednesday, August 08, 2007

PCI and your network

Many of us work for companies that have to comply with various regulations. HIPAA, SOX, GLBA, FISMA, PCI, and on and on. For me in my current position it it PCI. I am familiar with the basics of most of the above mentioned regulations and know enough about them to tell you that many of them are vague (which may or may not be good) and difficult to interpret and understand. PCI is NOT one of those that falls under that category. PCI is pretty clear and does pretty much everything except tell you what brand of equipment to use and what vendor to buy it from.

I read a couple of articles today by Rebecca Herold and Ben Rothke at that got me to thinking a little about my own PCI woes today. Both of these articles assert that PCI is not a complex monster like some would lead you to believe. It is fairly clear and straightforward. Yet lots of people complain about it and talk about how much it costs to comply and how much work is involved and how long it takes. Which is true to some degree. It can be long, costly and time consuming, but it is still just basic information security sense.

Between the stuff that you can find at the PCI Security Standards web site and a little searching (still not using Google unless I have to) you can find just about everything that you need to put together a plan to be compliant in short order. That doesn't mean that there will be some areas that you need clarification and direction on. There will be questions that you have no clue how to answer. But it's not rocket science. I think Ben Rothke nails it on the head when he says.

The issue really is that these merchants have created their networks with little to no thought to security and privacy. They have placed minimal controls on their users, given no direction to their application developers, nor documented required procedures for their administrators on how the network should be managed. Merchants are not noncompliant due to PCI DSS; they are noncompliant because they never developed their security programs in the first place.
These Tier 1 and 2 merchants and many of the smaller merchants have large complex networks that are old and were designed with ease of use and administration in mind and not security focused. They put in the basics to keep the passive snooper out but not the aggressive hacker. They are complaining because they did not do a good job and now they have to go back and clean it up. That is why it is expensive, time consuming and complex. I know this first hand because that is what I'm up against. I'm having to retro fit security into some areas that should have had it in the first place. I'm just lucky that I'm working with a standard that is cut and dry or I'd really have something to complain about.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.