RSSPCI Compliance in 60 days?
August 8th, 2007Sounds too good to be true—is probably what some people are thinking. But that’s exactly what encryption vendor Ingrian Networks is offering to customers. With the rapid approach of the next PCI deadline on September 30, 2007, there has been a lot of discussion around compliance: what it really means to be compliant, what actions need to be taken, and how can they be taken in time to meet these deadlines.
I wanted to find out whether it’s realistic to get PCI compliant within 60 days. I had the opportunity to conduct an email interview with Cary Sholer, an independent information security consultant that specializes in large scale and complex security deployments.
What’s your background on PCI and do you have any experience with the Ingrian solution?
I’ve worked with numerous companies, including some of the largest financial and health care providers, assisting with their compliance efforts. Most recently, I’ve been working with joint customers of Ingrian Networks as part of their “60 Days to Compliance Program”. This program helps organizations to comply with the PCI requirements for encryption of sensitive payment data.
In your opinion what are some of the common misconceptions about PCI?
It is important to bear in mind that, both for the credit card issuers as well as any of the merchants and card processors involved, PCI compliance is not nor should it be the end game—security of sensitive payment data is. Complying with PCI, and more importantly securing sensitive credit card and debit card payment data, requires a holistic, ongoing approach, one that encompasses technologies, people, processes, and policies.
What should organizations that have to be compliant be aware of?
While a range of technologies are required, it is clear that they are only a part of the compliance mix. It’s ultimately the merchant or processor, rather than the technology vendor that needs to effectively deploy a given product and ensure that policies are defined and enforced appropriately. Just because an organization is compliant now does not mean they will be compliant one year from now. Further, regardless of the results of an audit, if a breach still occurs, the penalties for an organization will still be severe.
Have you looked at other encryption solutions in the market place?
Yes, I have studied most of the vendors with enterprise-class data encryption solutions. When we select encryption vendors, we look at the top 3-5 available solutions, we use fact-based scorecards to shortlist the top two final vendors. However, when it comes to technology solutions to meet PCI requirements, no single product could possibly ensure compliance with all 12 PCI requirements. To meet all 12 PCI requirements, you need to deploy firewalls, anti-virus, physical security, data encryption, tape encryption, and a host of other products. Although, when it comes to complying with PCI standards for encrypting sensitive data in the enterprise, we’ve found that Ingrian has proven invaluable in not only helping ensure compliance, but in achieving the highest levels of card holder data security, and in doing so with unprecedented speed. The four key criteria where Ingrian did exceptionally well as compared to all of the other data encryption vendors I have evaluated are:
Performance. Encryption has the potential to tie up performance-sensitive applications because of the processing-intensive nature of doing encryption and decryption. Ingrian’s dedicated appliances can perform tens and even hundreds of thousands of operations a second, which virtually eliminates the performance degradation typically associated with encryption. As one client said, the top three requirements for an enterprise class encryption solution is: performance, performance, and performance. Ingrian leads the industry in the encryption operations per second.
Integration. Encryption of data in applications and databases traditionally presented challenges because of the exhaustive application code changes required. In many cases, Ingrian can be implemented at the database level and requires no code changes to the associated applications. In addition, Ingrian offers support for industry standard APIs, cryptographic algorithms, and web-based wizards that easily automate much of the database integration process. Ingrian provides the greatest number of integration choices and easiest to use tools for each choice.
Administration. The process of managing encryption keys, policies, and processes has typically been a huge burden for many organizations. With Ingrian, organizations can do this administration for any number of disparate servers and applications, all from a single, centralized console, which significantly streamlines administration. As all of my information security professional consulting friends will tell you, “it’s all about the key”. Ingrian provides the strongest key protection solution of the enterprise class data encryption vendors, and the fine granular control desired by financial service companies.
Interoperability.Protecting credit card data where ever it is stored is not an easy feat. You must be cognizant of the fluid nature of credit card data, meaning it is important to complete your data flows. Credit card data typically flows beyond the primary transaction databases to secondary data stores for marketing analysis purposes, and it is also common for credit card data extracts to move around the enterprise network to network share drives and to large data warehouses. Thus finding an encryption solution that provides the broadest key management coverage is essential, otherwise re-keying the data as it moves between vendor databases is a mandatory requirement, greatly impeding production processes. I have found Ingrian’s DataSecure solution to be the most comprehensive data encryption key management solution, allowing data to be encrypted once even though it may move from a Tandem environment to a SQL Server database to an extract file, and since the same key works in all environments, no re-keying of the data is required.
Ultimately, it’s a combination these technological advantages from Ingrian and our years of experience in security compliance consulting that allow us to help organizations complete a PCI encryption initiative far more quickly than they would have been able to otherwise.
How realistic is it to meet the data encryption requirement for PCI in 60 days?
Very realistic—but varies greatly for each organization depending on:
Other factors such as the size of the infrastructure, the number of data sources housing payment data, and the type of applications and databases in use will all have a role in terms of the schedule of implementation. It’s interesting that often the data discovery process, understanding exactly which locations house payment data, can be the most difficult and time consuming part of the process, particularly at larger enterprises.
That said, in my experience, it’s absolutely been possible to deploy encryption and meet these PCI requirements in less than two months, doing everything from initial data discovery, to testing, and deployment. One of our projects at a very large financial services company for a single Web application, known as the Katrina Hurricane application, was completed in 6 business days. This database application was used by the displaced victims of the Katrina Hurricane to update their account contact information and the ability to apply for Federal relief on their home loans.
Cary Sholer lives in the San Francisco bay area and can be reached at carysholer@sbcglobal.net
4 Comments
Comments RSS TrackBack Identifier URI
Leave a comment
I don't think it is realistic to count on 60 days as a time frame for PCI compliance in the vast majority of enterprises.
Yes, it is possible when there is a new, single application that is being brought up for the first time, but in a complex environment it may well take 60 days just to map what is the current topology and the data flows. Without the precursor information in place and validated, putting boxes that handle encryption and encryption key management in the data center won't really create compliance.
If I were a vendor of a hardware or software package dealing with one or more of the twelve PCI standards I’d have a few questions I’d ask the buyer before signing a contract:
1. Have the executive team proven they support the project by making sure their enterprise is in alignment with the objectives?
2. Has the enterprise provided the funds to accomplish the required precursor work?
3. Are policies, procedures, and documentation current?
4. Are their people within the enterprise who own keeping policies, procedures, and documentation current?
There are a number of other questions that would need to be asked and answered affirmatively, but the few above will give you the flavor of the type of questions they would be.
The other part of this type of situation is that no one vendor handles all twelve aspects of PCI-DSS. As with other things, the weakest link is the one that will be exploited. The vendor for the one part may well be compromised by any failure in the remediation of the other parts such as firewall configuration, proper isolation via network sub-netting, data in flight, data leaving the network via e-mail or other protocols, and on and on, need to be addressed.
You could put a very large team on the project to make it move faster. While a large team can do a lot, there is always a certain shakedown period for the team to be able to work effectively together. The larger the team, the longer this trust building process will take. Then, too, there is the trust building required between the vendor’s or consultant’s team and the staff of the enterprise.
Even a team that has worked together on other projects and has been tested under fire with real world problems, and is in alignment with the enterprise, won’t have a chance unless you have all the policies, documentation and organizational drive and buy-in in place *before* you hire the vendor.
It is this groundwork that is missing in my experience and often the organization is not willing to pay for and keep current all this. To me, this is the most critical part of meeting any compliance or regulatory requirement, and while this is my area of expertise, I think you will find most people experienced in IT will agree.
That said, it is possible to meet PCI standards in a SMB environment, but I wouldn't count on it. The lack of complete and current documentation of the topology and the data flows is often worse than the very sad state of affairs at larger enterprises.
If I were the buyer I'd be very skeptical and want written, actionable guarantees before signing a contract.
I’d be very interested in hearing other viewpoints on this subject.
Allen Schaaf, CISSP, CEH, CHFI
I'm not sure whether everything has to be in place *before* you hire a vendor. For example, most of the vendor specific documentation won't be possible to produce after it's been deployed and aligned for a given customer environment,
The underlying issue here is that there are companies that look at PCI as, "oh it's just another audit we've got to pass", and then there are organizations who simply want to have a great security posture. Two observations here, the first group are usually the guys who always operate out of a tactical, "that's good enough" catch-up mode, the second group are the ones who have a much more strategic approach to security. Nothing that's in the current PCI DSS spec should be a surprise to anyone who deals with security, all of the requirements make security AND business sense and one could argue that companies should have been following them even without a standard and the threatening of fines.
So I would suggest that if you approach every new security requirement from a tactical point of view you are already screwed. At the same time organizations could start and use a "60 days to compliance" at least as a framework that gets them out of the tactical and into a anticipatory mode for security. For a disciplined organization - yes they are out there - chances are they are already there and if there are a couple of things they have to update to pass an audit, they should be able to do it in 60 days.
Allen and Martin, I agree with both of you. Implementing any solution in less than 60 days requires advanced planning, standard procedures, and a very high functioning team with lots of experience. Implementing a security and compliance solution also requires more standards, e.g. a security policy template, well thought our support processes, and job descriptions parced out to maintain separation of duties.
While all of this sounds simple enough, to implement a security and compliance solution in 60 days can be done and I have done it. Yet, we had most of the prework done before we acquired the vendor solution. We also had strong executive sponsorship and support of the CTO to help us overcome obstacles in IT. The seven P's that I learned early in my career make all of the difference on these types of projects: Prior Proper Planning Prevents Piss Poor Performance. The best teams with enough prior proper planning can implement almost anything in 60 days.
Regards,
Cary
I read your comments on the preparation of PCI solutions in healthcare. I am interested to hook up with a reputable group of consultants for bringing turnkey solutions in less than 60 days to a few of our clients NOW.
I could also use a white paper or two on the details. Can you help or give me some advice?
Thanks,
Mike Ghodoosian, URC