What a week. VISA removes Heartland Payment Systems from its online list of PCI DSS compliant providers. They then go on to say “As of today, no compromised entity has been found to be compliant at the time of the breach.” What’s that all about?
It’s all about being all of the time, not just compliant at one point in time. Receiving a PCI Compliance Certificate is like E-Bay printing a paper catalog of everything they sell on-line. The catalog would be good for about, oh, 1 millisecond. A PCI Compliance Certificate is good for about, oh, 1 hour. Last November, payment processor RBS Worldpay servers were hacked to the tune of $9 million in just 2 hours time.
The PCI Security Standards Council has published a PCI Quick Reference Guide which states that PCI Compliance is a continuous process of assessment, remediation and reporting. It does not say that PCI Compliance is a onetime event, or even a once-in-awhile event. It is a “continuous” event.
Monitoring any infrastructure for change continuously requires an intelligent monitoring agent that knows what changes occur at the device rather than having to send a copy of everything being monitored to a central application server to make that determination. Tripwire invented such an intelligent agent in the last century and we have been enhancing it ever since. Today that technology is called Enhanced File Integrity Monitoring and it allows changes to be detected in realtime, analyzed immediately for authorization and compliance, and reported on any level to provide evidence of continuous compliance for over 100 of the requirements in version 1.2 of the PCI DSS specification.
PCI Compliant vs. Certified PCI Compliant—what the heck is the difference? “Continuous” is the difference. If you don’t know within an hour that a critical file or setting has been changed a lot of cardholder records could be exposed–and a whole lot more.