Most data crimes are the result of online compromises. This makes sense, as the criminals don’t need to know any of the old, dirty, hands-on techniques such as lock-picking, dumpster diving, or any other evasive maneuvers to carry out a successful attack. However, this doesn’t mean that the old methods are completely defunct. Physical security is still an important facet of a complete security program. In the new 4.0 version of PCI DSS, Requirement 9, “Restrict Physical Access to Cardholder Data” aims to keep the CDE safe from physical compromises. Like its earlier version, it also reiterates the need to carefully dispose of devices that contain cardholder data.
Shubhra Deo has worked with PCI DSS for over 10 years, helping organizations to achieve compliance. In her experience she sees the hardest parts of meeting the physical security conditions of Requirement 9 as those similar to what Ben Rothke [LINK TO PREVIOUS BLOG] and others have expressed with the Standard; defining the scope. Shubhra states the importance having a “Clear understanding and demarcation of the Cardholder Data Environment (CDE), sensitive areas, and facilities.”
Some observations that Shubhra makes go deeper than the obvious need for door locks and access cards, including “if the organization is using a video camera, it should capture the face of the person exiting the area. Similarly, in video-monitored areas, there might be the case where video logs are capturing screens or papers that display cardholder data. In that instance, the video recording itself rises to level of a sensitive data classification. Hence, further proving that detailed risk analysis is essential for physical security controls.” Shubhra also takes a forward-looking approach to Requirement 9 and anticipates the importance of access log reviews.
Similar to the need for physical security, the need to be able to see what has occurred on a system is equally important. Event logs can provide important details about the general state of a system, as well as the ability to trace a path back to the entry point in the event of a security incident. Requirement 10 of the PCI DSS sets the stage for both keeping track of system events, as well as protecting the logs from any tampering.
Requirement 10, “Log and Monitor All Access to System Components and Cardholder Data” prescribes exactly what the system logs should be capturing. Ross Moore, who has served in a variety of operations and Information Security roles over the course of his 20-year IT career, lives by the motto of Festina Lente; Make Haste Slowly.
Ross applies this maxim directly to some of the challenges of Requirement 10. He cautions against “losing sight of the security goal, which is to regularly monitor and test networks for the purpose of keeping customer data safe. Consider interoperability. Like the traditional Swiss Army Knife, the more functions – technical, regulatory, personnel - that one can solve with a multi-function tool, the better.” Logging, alerting, and log review are cross-departmental tasks, requiring a cooperative approach in order to fully succeed.
Ross expands on this idea: “Tie monitoring and alerting into other aspects of the business, such as DevSecOps, and IT Infrastructure. Any other business units where it can be integrated could help in procuring the right solutions and assistance in implementation and maintenance. Demonstrate how a multi-departmental effort will help to achieve compliance.”
As a general approach to the entire Standard, again, deliberate attention is what Ross views as most important. This sentiment is reminiscent of the advice offered by Jeff Mann in the first blog [LINK] in this series, where an updated network diagram can be a key component to a full picture of the CDE. Ross echoes the importance of how “Keeping up with regulatory compliance is in the details. Consider an improved project management flow so all stakeholders can communicate, plan, easily view the roadmap, and prepare. A little at a time, and performed consistently, makes the entire project much more palatable and feasible.”
The information that Ross shares carries over to the final two Requirements of the PCI Standard. All of the preparation for security needs to be tested, and the entire organization needs to understand and adhere to the Standard in order for it to not only pass audit scrutiny, but to also be effective in protecting cardholder data. To learn even more about the new Standard, as told by other experts in the field, download our eBook.
Learn more about PCI DSS 4.0 Requirements:
PCI DSS 4.0 Requirements – Network Security Controls and Secure Configuration
PCI DSS 4.0 Requirements – Protect Stored Account Data and Protect Cardholder Data During Transmission
PCI DSS 4.0 Requirements – Protect from Malicious Software and Maintain Secure Systems and Software
PCI DSS 4.0 Requirements – Restrict Access, Identify Users and Authenticate Access
PCI DSS 4.0 Requirements –Test Security Regularly and Support Information Security with Organizational Policies and Programs