What You Need to Know about PCI-DSS 3.0 When it Comes to Your Firewalls and Routers

With the release of PCI-DSS 3.0, organizations have a framework for payment security as part of their business-as-usual activities. The updated standard introduces more flexibility and an increased focus on education, awareness and security as a shared responsibility. These are important changes because PCI-DSS 3.0 really looks at how to build security into your business processes. I’d like to explore the three main concepts that PCI-DSS 3.0 attempts to address and also the common challenges around ensuring continuous firewall compliance.

1. Improving security education
   The latest release of the PCI standard recognizes that you can require all the controls in the world, but if your employees don’t understand or follow them, they are simply rules on a document. It starts with the security team and their understanding of how to properly implement these controls. For example, do you know how payment card data is flowing through your firewalls and routers? But it also goes much deeper as many employees are involved in the payment chain – and you’re only as strong as your weakest link. These users need to be educated because the fact is that security is not on the top of their minds, and oftentimes they find security to be “in the way”. Employees all too often leave openings for attackers, whether by choosing poor passwords, clicking on malicious links, sharing sensitive information via social media, etc. It’s not just about having more layers of security, but also ensuring that employees involved in the payment chain understand the risks and what to do vs. what not to do.
2. Flexibility
   Another important update in PCI-DSS 3.0 is the recognition that each corporate network and data center is unique. There is no one-size fits all approach to security. What may work to secure one environment may not be as effective in another and the reason is very simple – some environments are all on premise while others are in the cloud (private, public or hybrid) or a hybrid of on and off-premise.  While PCI members, merchants, and service providers must have proper controls in place to protect cardholder data, they should have some flexibility to implement these controls in a way that makes sense for their business because after all these are businesses that need to process a lot of information and transactions in order to make money.
3. Shared Responsibility
   Security is no longer a one-team mentality, but rather a shared responsibility of many different roles and groups such as application owners, database admins, network operations, security engineers, firewall administrators, etc., as well as outsourced third-parties that play a role in processing and storing cardholder data. Whether your cloud is a hosted solution, virtual, SaaS, IaaS, PaaS, your provider must also share responsibility when it comes to the security of your networks, data centers and ultimately card holder data – and you need to hold them accountable. That means periodic reviews of their processes and controls to ensure there are no gaps.

So this is great, but often when it comes to compliance there are some stumbling blocks.

Manual audits will chew up your time and resources and leave you no better off strategically.

This is no joke. Forrester Research has stated that conducting a manual firewall audit is “nearly impossible”. I’ve personally spoken with customers who before implementing AlgoSec were spending 2-3 weeks of audit preparation PER FIREWALL! And in a recent survey on the Impact of Security Management on the Business, nearly three-quarters (74%) of respondents said that firewall audits consume more than one man-week each year and one in six (16%) spend more than one month on firewall audits annually. Automating the audit process is really important because you most likely have to comply with more than just PCI-DSS and even for just PCI-DSS you may have to go through a couple of audits per year.

Point-in-time compliance serves no purpose.

If you don’t have processes in place to ensure continuous compliance, you are setting your organization up for a lot of unnecessary pain. Being PCI compliant today does not mean you will be compliant tomorrow. UNLESS you have a way to manage change. Security changes come fast and furious in many organizations as business requirements dictate. Every time a change is made, there’s an opportunity to take your environment out of compliance. So if you build into your change process a risk and compliance check (and even better, if you can automate that), you can validate that changes will not take you out of your ideal security and compliance posture.

PCI-DSS 3.0 is designed to address how networks and data centers have evolved and to not only improve security controls, but to build them into the fabric of your business. If you can be assured of what’s in your network and how data is flowing through your network, and if you can ensure all of your key stakeholders are aligned, you are well on your way to a continuously PCI compliant environment as well as a more secure and agile operation.