Thursday, 17 January 2008

Why do companies fail their PCI-DSS Audits

As an auditor for many years, the top failing I have noted with companies that process or store credit cards is a lack of adequate controls on the database. Next would come backups and storage. I am yet to see a company that has maintained adequate backups with encryption or has a process of compensating controls.

Encryption is generally inadequate or non-existent on both the network and database. SSH is simple - there is no excuse to use telnet over the Internet!

Encryption is a key component of the “defence-in-depth” principle that the PCI attemptsto enforce. Even if other protection mechanisms or controls fail and an attacker accesses data, the data will be indecipherable if it is encrypted. Unfortunately, many companies stockpile credit card data on mainframes, databases, and other legacy systems that are not and were never designed to support encryption. For these companies, encrypting stored data (data at rest) is a key hurdle in PCI compliance.

A compensating control is to Obfuscate card holder data without encryption. The PCI Data Security Standard allows for obfuscation (making the credit card data unreadable) as a compensating control for not using encryption. One-way hashing, truncation, and other approaches may all be used.

1 comment:

pci compliance said...

Thank you for your resources !It is good for me !