Verizon’s 2015 PCI report is out, offering some reassurance to those worried about the state of security in point of sale systems. But compliance rates continue to be low. The report notes that the number of organizations meeting full compliance nearly doubled from 2013. But only about a quarter of those organizations managed to remain compliant a year later. Businesses need to institute continuous monitoring methods to make the resources spent on PCI compliance worthwhile, and more importantly, ensure that their organizations are secure, as well as compliant.
According to Verizon, 20 percent of organizations were fully PCI compliant, up from 11 percent in 2013. But only 28.6 percent demonstrated the ability to remain compliant over time. Falling out of compliance wastes the time and resources put into it. Businesses need a way to make that hard work pay off. Continuous monitoring systems scan configurations and alert administrators when they fall out of the standards you set, making them an ideal solution for PCI compliance sustainability.
The Importance of Continuous Compliance
Verizon’s study shows that when auditors visited organizations following a breach, PCI compliance was poor. While we believe Verizon’s report to be one of the strongest authorities on the topic, we also know that Target’s PCI compliance was verified shortly before the data breach. As far as we know, Target was compliant at the time of the breach. In addition, the methods used to gain access to Target’s POS fell outside of protections found in PCI requirements.
At the same time, compliance doesn’t guarantee security. Both the threat landscape and technology advance much faster than any PCI regulation ever could. For instance, the PCI standard only addresses cloud infrastructure with a set of general recommendations around its impact on audit scope. No detailed specifications are offered, yet more than 70 percent of data centers are now virtualized. The world is just changing too fast for PCI standards to keep up.
Another problem is that some auditors are not fully up to speed on every technology – especially those that are still emerging. Many organizations have not yet virtualized their PCI applications because the PCI regulations around this topic are still being refined. According to independent PCI auditor, Coalfire, it is absolutely possible to run applications that handle PCI data in virtualized environments – you simply need to pay attention to scope, and have the right controls in place as you would any physical system.
Despite its vulnerabilities, PCI compliance does serve some important purposes. First, it sets the bar to ensure basic security best practices are followed (however low that may be), and provides mechanisms for audit and enforcement.
Despite the massive scale of the Target breach, it could have been worse. Target had the personal information of 70 million consumers in its database. PCI compliance ensured that, although hackers were able to make off with personal information in the database, they could not access the actual credit card information connected with those individuals. Hackers were only able to access credit card information as transactions passed through the POS system. So, because of PCI compliance, Target reduced the number of stolen credit cards from 70 million to 40 million. In a world where 100 percent protection is impossible, simply being more secure than the next guy is an important part of security. Attackers will certainly attack the low hanging fruit first.
PCI compliance is also an important talking point to leverage when seeking additional funds for your security budget. But using budget dollars simply to pass an audit misses the point. Security must be a continuous process that keeps data secure at all times, or the money spent on compliance is wasted.
Defining Continuous Compliance
Compliance means your organization has put in place all security requirements as mandated by government regulations. But if you lapse in any one of those requirements, you are no longer compliant. Instead of relying on a single snapshot in time, continuous compliance offers a stronger approach to information security risk management. By implementing continuous compliance, organizations gain the reassurance that their information remains protected at all times.
Virtualized data centers offer the benefit of agility. They make information resources easier to manage, allowing you to spin up resources for new workloads more quickly, while making it easier to migrate resources as hardware and performance requirements change. But with this agility comes risk. The same agility that makes resources easier to manage also increases the chance that changes will bring your security out of compliance. Organizations should focus on two key areas to ensure continuous compliance in a virtual infrastructure:
- The Hypervisor – This critical technology provides the foundation for security. If attackers compromise the hypervisor, they can access everything in the system. Hypervisor configuration can drift over time, with software updates or administrative changes. Having a method for tracking these changes and remediating when needed helps your organization remain compliant and secure.
- Administrator Activity – Your virtualization admins hold the keys to your kingdom. PCI requirements 8 and 10 specifically outline that organizations must identify and authenticate access, and track and monitor all access. Admins are no exception and today’s virtualization management tools are not designed to track at this level of granularity. Organizations must use additional tools to gain this functionality.
Ensure Continuous Compliance with HyTrust
If you are running PCI applications on a virtual infrastructure (or you would like to), you need HyTrust. HyTrust can ensure continuous compliance with PCI requirements and dramatically simplify your monitoring, auditing, and reporting. If you’d like to learn more, contact us today.