Home > Uncategorized > PCI-DSS Compliance: Part 4

PCI-DSS Compliance: Part 4

As I mentioned in my last posting regarding the PCI-DSS standard, PCI-DSS powers-that-be are concerned that merchants may be declared compliant when they have their annual QSA audit, yet they may not be continuously compliant. So I scoured over the PCI-DSS 1.2 requirements and analyzed the time components associated with the various requirements. Here is what I found:

Requirement Frequency
QSA audit Annually
Vulnerability scanning Quarterly
Firewall/router rule set review Biannually
Review of patch installation policies Monthly
Review of application changes Annually
Security review of offsite facility Annually
Inventory of media Annually
Testing for wireless access points Quarterly
Risk assessment Annually
Review of security policy Annually
Employee security awareness and training Annually
Employee acknowledgement of security policy Annually
Incident response plan testing Annually

As you can see, most of the requirements must be met annually. Only one must be met monthly, and two must be met quarterly. Clearly, not much needs to be done all that often. As such, perhaps the fact that so many merchants may not be continuously compliant is easier to understand.

My analysis should by no means be construed as any kind of a criticism. As I have said before, the PCI-DSS standard represents an excellent attempt to provide requirements that reduce the likelihood of merchants experiencing data security breaches involving credit card information while at the same time being reasonable as far as the amount of effort and resources needed for compliance. Note, too, the overall sensibility of the required frequencies. Patching vulnerabilities is something that needs to be done promptly, as the Conficker Worm debacle has so poignantly shown. Accordingly, the PCI-DSS standard requires a review of patch installation policies every month. Similarly, finding and patching vulnerabilities are essential in countering attacks; ostensibly for that reason, the required frequency of vulnerability scanning is quarterly. Rogue wireless access points generally pose severe risk; the PCI-DSS standard mandates a quarterly review of wireless access points.

For the sake of better credit card security, a few time requirements probably need to be made somewhat more stringent, however. For example, a biannual review of firewall/router rules does not seem sufficiently frequent given the criticality of these rules for a merchant’s network security. A rule review every 60 days would thus be better. The same applies to scanning for wireless access points. The speed at which rogue access points can be put in place is frightening. The potential level of risk to not only wireless, but also to nearby wired networks is high. Additionally, scanning for wireless access points is not all that difficult or time-consuming. Requiring scanning for access points every 30 days thus seems more appropriate.

The PCI-DSS standard has evolved over time, and it will continue to evolve as risks and threats change and also as security technology improves. Although most of the time components for PCI-DSS requirements are reasonable, I would not be surprised to see several of them change in forthcoming versions of these requirements.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.