Hosted, validated
In August, Sydney-based managed security service provider (MSSP) earthwave announced that it had received its PCI certification, claiming it was the only MSSP to have done so in Australia. Earthwave has six QSA partners and it took the company around a month to become certified. CEO Carlo Minassian says he saw an opportunity as existing and new clients were increasingly requesting PCI compliance.
"They were being penalised as a result of the new standards," he says. According to Minassian, PCI DSS v1.2, which came into effect in October 2008, insists that any merchant outsourcing their security infrastructure management, such as firewall and IPS systems to a managed security service provider, must also ensure their preferred MSSP is certified.
"That's where we come in. We got ourselves certified so that our customers going through an audit can just point the auditor to us and say, 'earthwave is certified'. If I had 50 clients [and] I wasn't certified, all 50 would have to pay their QSA to audit earthwave. Because we've audited ourselves all we have to do is show them our certificate and that's it," he says.
In some cases a QSA audit is not mandatory. Instead the payment brands request a Self-Assessment Questionnaire (SAQ) to be completed. The questionnaire is intended to help merchants and service providers determine whether they are complying with the PCI DSS.
However, there are four SAQ versions based upon five different categories of merchants.
In Amex's case in the APAC region, Amex does not require organisations to complete a SAQ, says Nott. "You can still complete it as a measure of your compliance status and use that but we're not required to see it."
200 steps to success
PCI DSS involves more than 200 requirements and the majority of these are technology based,
but there are many business processes as well, says the PCI Council's Leach.
"There are requirements around background checks, making sure that those individuals who have access to the technology are upstanding citizens. One solution will never make a merchant or a service provider compliant," says Leach.
For resellers to have any success selling products around PCI it is vital for them to communicate that PCI is more than just a product. They have to understand the standards, says Leach.
"The key for the resellers is the better they understand the PCI standard and the requirements placed upon their clients the better prepared they are to sell those products."
Resellers increasingly understand general security principles, that "you have people, processes and technology in order to make any business process work and for any process to be secure. Even though they are selling the technology they still have to have a fundamental understanding and awareness of how to keep their environment secure once they've purchased 'our' technology," says Leach.
As a security expert, Minassian argues that compliance doesn't even mean security.
"PCI is not such a difficult thing to achieve, it's not rocket science. But still people struggle to maintain it because it's a discipline. Security is a discipline, it's not a product." Minassian says lots of people buy products as part of the 12 requirements but they don't know how to operate them.
Other experts agree.
"You can't just throw a bunch of tools at it and walk away - you need to make sure you follow up on things that the tools actually find," argues Amex's Nott.
"PCI DSS is very much the baseline of security. If an organisation has a good handle on its security posture and understands the risks to the company for preventing data loss then they would already have a lot security tools in place. PCI DSS really has a lot of structure around processes and people."
Finding the right technology
Having said that, certain technologies are mandatory for PCI DSS compliance and resellers have a vast range of products they can sell as part of a PCI solution.
Requirement one of PCI DSS v1.2 details the need for a firewall and requirements two and three stipulate encryption. Patch management tools could be used in requirement six and access and identity management tools for requirement seven. Requirement 11 is around testing systems and procedures and the test will only be accepted by an approved scanning vendor.
"In the first instance you need to have at least a firewall that is protecting the cardholder information," says Murray Goldschmidt from Sense of Security. "It needs to be procured. Most companies have got firewalls already but that firewall may need to be reconfigured. So [for resellers] there's a professional services [requirement]. Or [merchants] may need to get a newer firewall because [PCI says] you have to segregate the cardholder environment from the rest of the environment.
"Requirement three, which says 'protect stored cardholder data', is really around encryption and protection of sensitive information. Encryption is the most difficult or the most complex attribute of the standard to address correctly," says Goldschmidt.
"It's really where organisations struggle the most, because encryption is complicated - it always has been complicated. It can be delivered by a combination of hardware or software or both. And traditionally the products have been expensive and have to complement existing systems with third party tools," says Goldschmidt.
Scott Robertson is the country manager for firewall and VPN appliance vendor Watchguard. He says PCI hasn't taken off as quickly in Australia as in the US. So far, he says, large companies and larger retailers are implementing solutions and only small business retailers are committed to improvement.
"Essentially the framework is talking about having a segregated, trusted network separate from the core network. Watchguard sits in between the access of networks as a firewall and facilitates the traffic in and out of the network. So it's very much an integral part of any PCI solution - they need a firewall.
"When you think about designing these networks the very first piece of technology you're really looking at is something that can protect the core of the network, and that's a firewall. But certainly two-factor has become part of the [PCI DSS] as well."
TripWire provides change-detection capabilities, a technology required for requirement 10 which says merchants need to "track and monitor all access to network resources and cardholder data". Robert Kidd, vice president for Asia Pacific at TripWire, says in Australia there is a growing appreciation that PCI is important to the merchant and the consumer.
"For our channels, we have several partners. One example is Frontline where they have a specific vertical focus. The opportunity is to engage with them to identify which specific verticals need a focus around PCI and where is the opportunity and where is requirement. Then we provide deeper training to those channels and those verticals," says Kidd.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
