A Compliant Business is n’t 100% Secure
With the fast proliferation of SaaS or Software as a Service and PaaS or Platform as a Service among businesses, Ecommerce is becoming more and more common. In the latter part of last year the Payment Card Industry released the PCI version 2.0, a DSS standard in processing payments via the Internet. Even though these businesses are adopting these new standards, that doesn’t necessarily mean that they are secure. The standards were placed as a guide that every business has to follow when it comes to processing the information from payment cards. Each business has their own distinctive environment, processes and network infrastructure – these variables could still be vulnerable, even if the business is compliant.
Security is beyond compliance, it must integrate validation and security method like pen test and security tools like AV software. But sometimes, many companies are still confused about security when they follow compliance standards. So what is the PCI 2.0?
A PCI 2.0 compliance standard protects sensitive information such as credit card information, Social Security number, personal information, health information, government and military details and secrets. It is the Payment Card Industry’s regulation and it is acknowledge by the IT industry; IT industry understands the importance of protecting corporate and also trade secrets – especially now.
Once the company complies with PCI 2.0, they should understand that this is just a part of securing their business. It is just a baseline security and it doesn’t secure the company’s network from possible vulnerabilities. Those who rely only on compliance control may often find themselves overlooking any unmitigated risk.
Checkbox Mentality
As companies rely on PCI compliance and with other compliance audits, some of them would end up having checkbox mentality – a mentality in which they just implement a certain technology or product in order to satisfy the checkmark of each control. It doesn’t mean that one detail checked off on the compliance list is implemented well. Poorly implemented technology or product could lead to new risks or perhaps not able to perform their full capabilities when it comes to protecting the company’s network structure.
For example firewalls for web applications that are deployed with the out-of-the-box policies. The applications may need special tuning so that they prevent attacks that are beyond and above the OWASP, depending on the custom code and the functionality requirements. In PCI 2.0, the 6.5 controls will set the minimum requirements needed for the thousands of possible applications vulnerability when it comes to vulnerability scanning.
Web Applications Vulnerability Scanning
PCI 2.0 controls require the scanning of external facing IP addresses as well as Web applications regularly. Scans on external networks have to be performed by Approved Scanning Vendor and also Web applications scans – either automated or manual tools. Web applications that aren’t scanned leave possible vulnerabilities that attackers may exploit. The vulnerabilities must be addressed regularly.
Mobile Device
PCI has recently delisted some mobile applications that were once approved and were deemed compliant. Mobile devices have no firewalls and one could be violating PCI standards if one processes credit card information on mobile devices. These devices would include laptops, smartphones, tablets, etc. It is much better to disallow important data on these devices; if needed, why not modify the security policies regarding mobile devices. For example, adding Password Protect on all types of mobile devices. Don’t let the employees work on unsecured networks; instead they should use secure and encrypted networks.
Compliance is Result of an Excellent Security Program
PCI understands the difference between security and compliance. As PCI compliance standards are designed to protect the credit card information, the standards cannot control an address any possible risk existing in the Internet. Businesses have their own unique structures and the challenges have to be addressed independently on compliance mandates. Security is about a wide range of vulnerability and security processes can range from pen testing that has to be performed by an expert who has completed pen test training to security tools and technologies.
Depending on the compliance and the security measures the company, they could fall from extremely vulnerable to extremely secure. The only thing PCI has to do is to ensure the company’s processing and also storing in credit card information. The rest is up to the company.
The International Council of E-Commerce Consultants (EC-Council) is a member-based organization that certifies individuals in cybersecurity and e-commerce. It is the owner and developer of 20 security certifications. EC-Council has trained over 90,000 security professionals and certified more than 40,000 members. These certifications are recognized worldwide and have received endorsements from various government agencies. They also offer trainings in penetration testing.
More information about EC-Council is available at http://www.eccouncil.org.
Processing your request, Please wait....
