PCI DSS for charities: common struggles

Are you a charity that receives card payments? Are you aware of your responsibilities when it comes to your annual PCI DSS (Payment Card Industry Data Security Standard) assessment?

Completing an annual PCI DSS assessment is not a nice to have or an option – it is a mandatory action that any organisation is required to complete if they process card payments of any kind.

There are 12 requirements that need to be fulfilled each and every year. Most are easy to complete and/or implement but there are two in particular that many organisations find difficult to implement – either because of the technical knowledge required or the financial burden that comes with implementing them.

In this article I will discuss parts of these two requirements that we often see customers having difficulties with.

Requirement 6 – Develop and maintain secure systems and applications

This requirement states:-

Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor-provided security patches, which must be installed by the entities that manage the systems. All systems must have all appropriate software patches to protect against the exploitation and compromise of cardholder data by malicious individuals and malicious software.

Everyone should know the importance of ensuring all of your IT systems have the latest security updates installed.

If you are running Microsoft Windows, it is a straightforward task to have your systems updated every month. The wider problem that many organisations find themselves in is that they have no means to determine the security status of non-Microsoft products. A recent report by McAfee highlighted that, on average, an organisation with fewer than 1,000 employees run 22 custom applications, the largest enterprises with more than 50,000 employees run a staggering 788 custom application, on average.

What we can take from these statistics is that even a small organisation is likely to have a significant number of applications that are not manufactured by Microsoft and therefore need to be individually monitored for applicable security updates.

For a small organisation, this is a significant challenge from a technical resource and a cost perspective. Even if an organisation can manage this task, it is only a small part of the PCI requirement.

You also must ensure that other IT assets, such as your network infrastructure (Firewalls, Switches, Routers etc.) are also kept up to date with vendor supplied security updates.

This is often a bigger headache than keeping the rest of your infrastructure up to date, updating these systems often requires a deeper understanding of the technology and determining what needs updating in the first place may not be obvious.

Requirement 10: Track and monitor all access to network resources and cardholder data

This requirement states:-

Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs.

What does this mean to an average organisation?

It means that every IT asset that is part of your CDE (Cardholder Data Environment) must capture and log events pertaining to the flow of Card Holder Data through your organisation.

These logs must contain all the relevant information to be able to create audit trails that link all access to system components to each individual user.

They must also capture events such as; system account creation, elevation of privileges, the creation and deletion of system files (Often referred to as File Integrity Monitoring). There are many more things, but you get the idea!

There’s good news and bad news

The good news: most (if not all) of your systems will have the ability to capture these events already.

The bad news: your systems have a finite amount of storage for these events and the associated logs. When the allocated storage fills up, most will just start to overwrite the earliest entries.

This means that if you suffer a data breach, you may not be able to determine the source of the attack or provide important details to investigating bodies.

You also need to have an ability to detect if the events and the associated log files have been tampered with – this is usually the first thing a malicious individual will do. Stopping a system logging events is the easiest way to hide an attack.

Another reason for having a monitoring solution in place is to keep an eye on your third parties who may need to access your systems. Do you know exactly who they are? Where they are and what access do they have? In a report from eSecurity Planet, Eighty-one percent of respondents said they’ve seen an increase in third-party vendors over the last two years, and 67 percent have already experienced a data breach that was either definitely (35 percent) or possibly (34 percent) linked to a third-party vendor.

Two-thirds of respondents said they trust third-party vendors too much.

Just 34 percent are totally confident they can track vendor logins, and just 37 percent are confident they can track the number of vendors accessing their systems.

What can you do?

You only have a limited number of options.

1. Employ a technical resource (or two) to analyse these log files, all day, every day. The problem with this is that people need to sleep, eat and have holidays. They may also miss key information when they are trying to correlate events from multiple systems to determine where an issue arose.

2. Implement a SIEM (Security Information and Event Management) solution. They do not need to sleep, eat and are always happy to work Bank Holidays! They provide real-time analysis of security alerts generated by applications and network hardware. These products are also used to log security data and generate reports for compliance purposes.


You might also like: