One of the biggest complaints about the PCI standards is that they always seem to be changing.
The reason why this seems to be the case is that the security measures of networks and applications are always changing. Why? It’s the attackers. Every time we close up one way in, they find another. When the threats change, so do the tactics to secure resources. Hence, the PCI SSC issues clarifications to the PCI DSS to address new threats.
As an example, in v1.2 of the DSS, you now have to conduct vulnerability AND penetration testing on the inside of your network. Vulnerability scans at least quarterly and penetration testing at least annually or whenever significant changes are implemented. Why? For a number reasons that are the result of changes in the threat landscape.
- First, because applications are becoming browser-based, you now not only have Web-based applications facing the big, bad Internet, but they are also on your internal network. If they can be abused from the Internet, do you think they can also be abused on your internal network? You bet!
- Second, it’s not just the Internet you have to worry about these days. You need to worry about your own employees. Huh? You think those 20-somethings you have working for you are working all of the time? They get breaks and they tend to want to surf the net. The other bad news is that in a lot of cases, your younger employees may know as much or more about your technology than your IT department. FBI statistics state that 70% or more of all attacks have an internal component. Either an attacker used social engineering to get information for accessing your network or computers or an insider is an active participant.
- Finally, statistics point to security threats increasing on the inside of your network. Of course your IT department is on top of internal security, right? But, you haven’t funded a lot of security initiatives on the inside because you have all of those policies and standards that tell people not to do bad things to your network and the information you store. You have invested in all of those new browser-based applications. While those applications may not face the Internet, they still could be susceptible all sorts of vulnerabilities such as cross-site scripting or SQL injection attacks. And those vulnerabilities could be used to compromise your cardholder data as well as any other sensitive information.
All you have to do is look at the latest breaches such as Heartland and RBS. They all had a strong internal component. In response, the PCI DSS is being adjusted to address the new internal threat.
So, if you want the PCI DSS and related standards to remain static, you need to stop the attackers from finding new methods of attack.