News

11:03 AM
Connect Directly
RSS
E-Mail
50%
50%

Top 10 PCI Compliance Mistakes

Configuration mistakes, access control gaffes, and scoping issues top the list of common PCI errors.

As organizations continue to work hard on their PCI compliance efforts in 2012, security experts warn that in order to cost-effectively achieve compliance and security goals, they'll need to avoid these common mistakes along the way.

1. Not Following Rule Of Least Privilege
According to Leonid Shtilman, CEO of Viewfinity, organizations play fast and loose with their interpretations of PCI 2.2.3, which said they should "Configure system security parameters to prevent misuse." As he put it, organizations have to drill down into user roles in order to ensure that they're following the rule of least privilege wherever PCI regulations apply.

"It is not acceptable to allow any privileged user to have access to all data, rather permissions for server administrators should be granted and/or dropped based upon specific role and responsibility tied directly to the applications and processes for which they require authority in order to fulfill their job requirements," he said. "No more, no less--only the least privileges required."

And yet, that isn't really what's happening at most organizations, said Eric Chiu, president and founder of HyTrust.

"It is not uncommon for many employees at an organization to have access to the data, including those who don't require it to fulfill their job functions," he said.

2. Ignoring Virtualization Compliance
Vidyadhar Phalke, CTO of MetricStream said that many organizations tend to overlook virtualization compliance, a fact that can cause auditors to see red.

"PCI DSS 2.0 mandates that even if one VM deals with cardholder data, your entire virtual infrastructure must comply with the standard. The challenge is--the wording in PCI DSS on virtualization is vague and it all depends on the interpretation of the auditors," he said. "So organizations need to ensure that they comply with this early on and completely understand the risk and controls in place to avoid last-minute surprises."

3. Failing To Change Vendor Default Configurations
Virtualization particularly throws organizations for a loop when it comes to complying to PCI DSS 2.0 Requirement 2.1, which requires that vendor default passwords and configurations are changed.

Read the rest of this article on Dark Reading.

Find out how to create and implement a security program that will defend against malicious and inadvertent internal incidents and satisfy government and industry mandates in our Compliance From The Inside Out report. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Leo Regulus
50%
50%
Leo Regulus,
User Rank: Apprentice
1/20/2012 | 3:21:23 PM
re: Top 10 PCI Compliance Mistakes
For many of us in IT, PCI refers to the PCI bus on a computer motherboard. Please also note that 'WP' still refers to the (IMHO) the King of Word Processors, 'Word Perfect'. Not the Windows Phone that is following Zune into oblivion. Nowhere in your article did I find a reference to "Payment Card Industry" - which I now assume (remember AssUMe) your article refers to. A little clarification in the sub-paragraph following the title of an article may be of help here. You most probably have a broad spectrum of readers with a large overlapping of acronyms. ---- BTW, pardon my nit-picking and keep up the good work.
Cartoon
Slideshows
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
Research: 2014 State of the Data Center
Research: 2014 State of the Data Center
Our latest survey shows growing demand, fixed budgets, and good reason why resellers and vendors must fight to remain relevant. One thing's for sure: The data center is poised for a wild ride, and no one wants to be left behind.
Video
Twitter Feed