Staying PCI DSS Compliant

It’s been talked about in the past about how important it is to become PCI DSS compliant. For some industries it’s an absolute must. Without it, they can’t conduct business. We’ve covered some of the latest updates to PCI as well. One of the most overlooked aspects of becoming PCI DSS compliant though is actually maintaining compliance. Instead, most simply rush out to meet the requirements in order to meet the auditor deadline. Instead, we should be looking at what needs to be done on a continual basis. It’s the down time after the audit where most data breaches occur. The following list, which was put together by Dr. Anton Chuvakin, will outline the areas that require some form of upkeep.

Section 3.6.4 Periodic cryptographic key changes should occur at least once per year, or as deemed necessary and recommended by the associated application (preferably automatically)

Section 6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:

• Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes
• Installing a web-application firewall in front of public-facing web applications

Section 9.5 – Store media back-ups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility. Review the location’s security at least annually.

Section 9.9.1 – Properly maintain inventory logs of all media and conduct media inventories at least annually.

Section 12.1.2 – An annual process that identifies threats and vulnerabilities, and results in a formal risk assessment.

Section 12.1.3 – A security policy review at least once a year and updates when the environment changes.

Section 12.6.1 – Educate employees upon hire at least annually.

Section 12.6.2 – Require employees to acknowledge at least annually that they have read and understood the company’s security policy and procedures.

Section 1.1.6 – Requirement to review firewall and router rule sets at least every six months.

Section 11.1 – Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use.

Section 11.5 – Deploy file integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files or content files; and configure the software to perform critical file comparisons at least weekly.

Section 10.6 – Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion detection systems (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS).

Section 12.2 – Develop daily operational security procedures that are consistent with requirements in this specification (for example, user account maintenance procedures, and log review procedures).

So there you have it, there is plenty to be done beyond the initial compliance review. None of this is very labor intensive; even setting out a week to fulfill the annual requirement should be plenty of time. As for the daily actions, you really should have some form of log review, account maintenance, and other security procedures in place anyways – not just for PCI DSS.

Source