A Compliant Business is n't 100% Secure
Many companies are using Ecommerce nowadays and because of this PCI compliance standards are placed to be followed to help them keep credit card information secured. However, this doesn't mean that the company's network is completely secured.
Security is beyond compliance, it must integrate validation and security method like pen test and security tools like AV software. But sometimes, many companies are still confused about security when they follow compliance standards. So what is the PCI 2.0?
A PCI 2.0 compliance standard protects sensitive information such as credit card information, Social Security number, personal information, health information, government and military details and secrets. It is the Payment Card Industry's regulation and it is acknowledge by the IT industry; IT industry understands the importance of protecting corporate and also trade secrets - especially now.
Once the company complies with PCI 2.0, they should understand that this is just a part of securing their business. It is just a baseline security and it doesn't secure the company's network from possible vulnerabilities. Those who rely only on compliance control may often find themselves overlooking any unmitigated risk.
As companies rely on PCI compliance and with other compliance audits, some of them would end up having checkbox mentality - a mentality in which they just implement a certain technology or product in order to satisfy the checkmark of each control. It doesn't mean that one detail checked off on the compliance list is implemented well. Poorly implemented technology or product could lead to new risks or perhaps not able to perform their full capabilities when it comes to protecting the company's network structure.
For example firewalls for web applications that are deployed with the out-of-the-box policies. The applications may need special tuning so that they prevent attacks that are beyond and above the OWASP, depending on the custom code and the functionality requirements. In PCI 2.0, the 6.5 controls will set the minimum requirements needed for the thousands of possible applications vulnerability when it comes to vulnerability scanning.
Web Applications Vulnerability Scanning
PCI 2.0 controls require the scanning of external facing IP addresses as well as Web applications regularly. Scans on external networks have to be performed by Approved Scanning Vendor and also Web applications scans - either automated or manual tools. Web applications that aren't scanned leave possible vulnerabilities that attackers may exploit. The vulnerabilities must be addressed regularly.
PCI has recently delisted some mobile applications that were once approved and were deemed compliant. Mobile devices have no firewalls and one could be violating PCI standards if one processes credit card information on mobile devices. These devices would include laptops, smartphones, tablets, etc. It is much better to disallow important data on these devices; if needed, why not modify the security policies regarding mobile devices. For example, adding Password Protect on all types of mobile devices. Don't let the employees work on unsecured networks; instead they should use secure and encrypted networks.
Compliance is Result of an Excellent Security Program
PCI understands the difference between security and compliance. As PCI compliance standards are designed to protect the credit card information, the standards cannot control an address any possible risk existing in the Internet. Businesses have their own unique structures and the challenges have to be addressed independently on compliance mandates. Security is about a wide range of vulnerability and security processes can range from pen testing that has to be performed by an expert who has completed pen test training to security tools and technologies.
Depending on the compliance and the security measures the company, they could fall from extremely vulnerable to extremely secure. The only thing PCI has to do is to ensure the company's processing and also storing in credit card information. The rest is up to the company.
The International Council of E-Commerce Consultants (EC-Council) is a member-based organization that certifies individuals in cybersecurity and e-commerce. It is the owner and developer of 20 security certifications. EC-Council has trained over 90,000 security professionals and certified more than 40,000 members. These certifications are recognized worldwide and have received endorsements from various government agencies. They also offer trainings in penetration testing.
More information about EC-Council is available at http://www.eccouncil.org.
Tag Words: dss, pci, ecommerce, it, credit card, pen testing, pen test training, pen test, av software, security tools, network infrastructure