My Merchant Account Blog - Regularly Monitor and Test Networks

Regularly Monitor and Test Networks

Sunday, December 07, 2008

The fifth core of Payment Card Industry Data Security Standard (PCI DSS) consists of two requirements:

Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes

Track and Monitor All Access to Network Resources and Cardholder Data

We have said it in the past few posts, but it bears saying again. Audit trail history should be retained for at least one. These logs should provide the company with a

Unique User Identification
Type of Event
Date and Time
Origination of Event
Success or Failure Indication
Identity / Name of Affected Data, System Components, Resources

These logs should be secure and unable to be altered by anyone and have limited viewing. Times on all systems should be synchronized. Logs should be reviewed daily for unknown events. It sometimes takes days or weeks before a breach is reported by a cardholder.

Regularly Test Security Systems and Processes

Systems should be scanned to discover potential vulnerabilities. A vulnerability scan is an automated tool run against external and internal access points and servers on the network that will help identify ports and vulnerabilities that could be exploited by hackers. If any vulnerabilities are detected, steps should be taken to fix them immediately. Network intrusion detection systems should also be in place.

Approved Scanning Vendor

Most merchants will be required to do have a quarterly scan completed by an Approved Scanning Vendor (ASV). Approved Scanning Vendors (ASV) can complete the quarterly scan for your company. Only choose a vendor that is listed Approved Scanning Vendors web page. Otherwise, you might compromise your data or the scan will not be accepted by the council. The scan requirements are quite rigid - all 65,535 ports will be scanned. Any vulnerability that is rated between three to five must be fixed. You will also get two reports:

An executive summary report with a PCI approved compliance statement suitable for submission to acquiring banks for validation
A technical report that details all vulnerabilities detected with solutions

Selecting a PCI Network Security Testing Service

While there are a number of Approved Scanning Vendors listed, there are three critical things to look for when choosing a company:

Accuracy: False positives can increase the activities and costs that are associated with these false positives (and even false positives). You do not want the company to generate a large number of false positives / false negatives that will increase the amount of time you have to work through each issue.
Efficient Vulnerability Remediation Process: The company should offer technical support to fix each issue found.
Automated Report Preparation and On-Line Filing: This will reduce your work and time you spend on getting PCI compliance if the company offers automatic preparation and electronically filing.

Qualified Security Assessor

Large merchants that are considered Level One (or merchants that have had a data breach) are required to have an on-site security audit performed by a Qualified Security Assessor (QSV). These vendors are authorized to perform the annual audits. QSAs are companies that assist organizations in reviewing the security of its payments transaction systems and have trained personnel and processes to assess and validate compliance with PCI DSS.