Implementing strong PCI compliance safeguards delivers far-reaching benefits, from cutting operational costs and improving uptime.
Estimates show that, on average, an out-of-compliance network is 90% more expensive to operate – easily adding up to $3 million in unnecessary annual spend for large retail organizations.
Retailers today depend on information networks being available around the clock, leaving no window for network maintenance or downtime.
Following is a list of easy steps online merchants, catalogers, and retailers can take to stand tall when the auditors come knocking:
1. Establish configuration policies, monitor and enforce them.
The first – and most critical – step to building a secure network is establishing specific configuration policies. Even the smallest change made during the addition, deletion or scheduled maintenance of a device can throw an information network out of compliance. Archived change tracking and saved “last known good” configuration state to roll-back to are now necessities.
Network changes are frequent, and network engineers need to weigh their impact to the overall network – and whether or not they can leave the network vulnerable. Creating network maps can help facilitate this.
Tap solutions that define and analyze compliance across the entire network. Firewalls and routers are a front-line vulnerability point, governed by well defined configuration standards, and ensure connections link designated IP addresses for inbound and outbound traffic.
Archiving capabilities should be integrated – so all alterations to the network can be seamlessly implemented, with minimal impact across the rest of the network. Users can gain visibility into how each change affects the network.
2. Change vendor-supplied default passwords.
Assign unique IDs and passwords to protect the network from hackers and find a way to search for devices where the vendor-supplied default passwords haven’t been changed. These leave information networks incredibly vulnerable, as hackers often recognize “generic” passwords.
Unique IDs also need to be assigned to each user touching the network. This requires a system where retailers can control each password, adding new ones when required – and removing inactive users every 90 days.
3. Automatically detect and track changes made to the network.
Multiply this across thousands of devices and systems, and the best intentions are often not enough to keep up with the challenge. The only efficient way to do this is to set up an automated change-alert system.
4. Monitor and test network performance.
Gather configuration and performance data across all network elements, and evaluate network events in relation to established security policies. These routine network audits can be automated, the logs of system components need to be reviewed daily, and audit history retained annually.
5. Define and test security policies.
Ensuring cardholder data remains safe requires continual monitoring of the network. The strongest security policy will not protect a network if there are no means of managing and verifying policy implementation. This takes significant expertise, is prone to human error and places undue strain on time-pressed network professionals. Automate the detection of changes made to the network, and analyze them against security policies.
Yama Habibzai is the senior director of marketing at Netcordia.