Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

The Truth Behind Three PCI 'Myths'

Posted originally on Wired, InnovationInsights blog

In Part I of this series of posts, I examined how retailers face immense challenges with respect to their cybersecurity posture but don’t often focus on the important elements. For starters, they will spend an inordinate amount of time struggling to "reduce the scope" of their enterprise that needs to comply with the Payment Card Industry (PCI) Data Security Standard. Then, when they are found to be compliant, they too often discover (the hard way) that their bare minimum approach to PCI compliance has left them still vulnerable to exploits and attacks — but even worse, they are not equipped to detect or respond to the attacks. In short, a bare minimum approach to PCI DSS compliance is not what is ideal for optimal protection.

Given the concerns, allow me to weigh in on the following myths and misconceptions which are creating further complexities:

Hard-to-detect, customized malware targeting specific retailer point of sale (POS) systems became much more prevalent in 2013 and 2014.

That’s true. But what’s missing is considering the vulnerabilities commonly being exploited by the malware. They are predominantly OLD vulnerabilities or variants which should have been re-configured or mitigated or patched out of the systems years ago. Retailers are justifiably concerned about the security of their POS systems because they often are built by a third party with embedded operating systems and distributed by the thousands throughout large geographic regions. This makes it hard to patch them, apply anti-virus/anti-malware solutions (while making sure they are updated automatically and scan periodically), install file integrity monitoring solutions, enable logging, copy the logs to centralized logging servers, etc. – all of which are activities required by the PCI DSS.

The upshot: Malware won’t work if systems are secured to meet PCI standards.

Despite spending considerable resources on PCI compliance, criminals are still successfully targeting retailers.

PCI compliance does not equate to security.

PCI compliance COULD equate to security if the standards were actually applied and followed across the enterprise, and not limited to the segmented "cardholder data environment." Which is not to say breaches wouldn’t occur. It’s just that merchants would successfully detect and thwart more attempted attacks. Even when they don’t prevent them, they’d still quickly halt the intrusions with minimal damage. The problem is that too much time and money is spent on technology solutions which purport to do the “boring” heavy lifting and to limit the scope of what needs to be secured. But the true "blocking and tackling" basics of good security requires dedicated individuals to apply paranoid due diligence above and beyond the call of duty.

There are many moving parts and pieces of a retailer store network and many types of users accessing them; making it more difficult to segment the cardholder data environment from the rest of the network.

Two problems here: First, PCI DSS does not require segmentation, particularly as a security best practice (defense in depth) beyond the implied three-level architecture common to e-commerce implementations. Second, segmentation when applied is done for the express purpose of "reducing the scope of the assessment." It often is paired with the implication (or outright overt statement) that "we don’t need to secure the systems that isn’t subject to review." This attitude even extends beyond any perceived Cardholder Data Environment to the systems which a Qualified Security Assessor (QSA) samples versus the entire set of in-scope systems. I’m sure I’m not the only QSA who discovered the customer didn’t apply a mitigation to a problem discovered during sampling beyond the original systems reviewed and the "new" systems reviewed, if just to prove the point. Segment your network to create security-in-depth not to limit scope; and apply the basic PCI DSS controls across the entire network.

Once we clear up the confusion behind these and other myths/misconceptions, it’s easier to obtain both PCI compliance and a fully protected cyber presence. In my next blog, I’ll shed light on five "rules" of PCI to help you move forward.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training