One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 896434 |
| Date de publication | 2018-11-14 14:00:00 (vue: 2018-11-14 16:00:56) |
| Titre | Top 10 PCI DSS Compliance Pitfalls |
| Texte |
Despite the fact that PCI DSS has been in effect for over a decade, and most merchants are achieving compliance, some of the world’s largest retailers have been hit by to data breaches. The sad truth is that achieving compliance doesn’t guarantee data protection, even for large organizations.
For example, more than five million credit card numbers were stolen in 2018 hacks of two major retailers.
Earlier this year, I hosted a webcast with Jacques Lucas from Terra Verde (one of our partners) covering challenges and best practices for achieving and maintaining compliance with PCI DSS. In his role as a QSA, Jacques has "seen it all" in terms of what commonly causes stumbling blocks for organizations on their compliance journey, which he summarized in a slide covering the Top 10 Pitfalls for PCI DSS Compliance.
As a follow-on from the webcast, I wanted to dive into that area further to provide tips and best practices to help companies address those Top 10 Pitfalls for PCI-DSS.
1. Improper scoping
The PCI DSS standard defines the scope of the cardholder data environment (CDE) as all of the systems, people, processes, and technologies that handle cardholder data. A common misconception is to overlook the systems that support and secure the CDE, and fail to include them in scope.
Specifically, any systems involved in managing the security of in-scope systems are also considered in-scope, and need to be secured and monitored. Some examples include: IAM servers; Domain controllers; Key Management servers, Firewalls/IDS/IPS systems; Log management/SIEM systems; AV Management servers and more.
Pro-tip: Segmentation and monitoring are the two critical success factors in avoiding the pitfalls associated with improper scoping. Isolate in-scope assets from the rest of your environment with granular network segmentation and access control policies. Additionally, monitor all access activity to validate compliance and respond to emerging risks.
2. Failing to patch systems regularly
PCI DSS requirement 6 outlines the need to patch systems on a regular basis. Additionally, it specifies that critical security patches must be installed within a month of their release. The challenge is that patching processes can be very disruptive, and even well-established companies can easily fall behind. For example, in one high profile breach it took the company more than four months to identify an unpatched vulnerability that provided a foothold for their devastating data breach.
Pro-tip: Identifying unpatched assets and applications is a must. Be sure you schedule regular vulnerability assessment scans and prioritize patching and remediation procedures for your in-scope systems. Monitor your in- scope systems with a combination of security controls including host-based and network-based IDS, file integrity monitoring, and SIEM event correlation.
3. Failing to audit access to cardholder data
PCI DSS requirement 8 outlines how to secure access to cardholder data, specifically requiring two-factor authentication for remote access to all in-scope systems. While many organizations have implemented two-factor authentication, they often fail to audit this access to verify that these controls are working as expected.
In fact, SecurityMetrics reports that insecure remote access was the largest single origin of compromise being used in more than 39% of investigated breaches against merchants.
Pro-tip: Implement two-factor authentication on all of your CDE assets. Sched |
| Envoyé | Oui |
| Condensat | $110 $15 $303 “magnetic access account achieve achieved adding addressing all also amex annual another aoc approaches approaching approved are assessment assessor asv attestation audit authentication authorization automated bank because become believe billing birthdate can card cardholder cards catch cav cde changing chd clone code collaboration complexities compliance considering consolidate constantly continual continuous correlation council credit criminals csc cvc cvv cyber dark data data” deadline destination detection developing diligence done downside driven dss due during easily embedded enable enables environment event exposure face fact: falsely find folks following from full functional glossary good helping high how implement industry info information input instead jcb journey know let’s list look lull maintained mastercard may meet merchants monitoring more most much multi must name need never numbers often only operating orchestrated other package pan partner party payment pci personal pitfalls platform platforms playing popular practices pro procedure procedures provider purpose put qsa qualified questionnaire rapid raw recurring reduce rely remain remember replaced report reporting requirements resale response roc sad saq scalable scale scanning security self selling sensitive setup simplify single some source: here’s specifically ss# ssc standard standards status stolen store stripe summary support sustained team technologies terms terra than thanks them third threat tip: token tokenization top traded types uplift using validation value valued varies vault vendor verde verification visa vulnerability web when who work you’ll your yourself |
| Tags | Vulnerability Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.