For merchants still working their way toward Payment Card Industry Data Security Standard (PCI DSS) compliance, San Francisco-based nCircle Inc. is launching an auditing and file monitoring tool aimed at securing point of sale retail systems.
The company said configuration change management is crucial for organizations that need to monitor the integrity of their critical files as per PCI security requirements. The new monitoring packages will be part of its Configuration Compliance Manager (CCM).
“When you look at all the PCI requirements, many of them are done manually,” Mark Wood, vice-president of product management at nCircle, said. “File integrity monitoring is something that retail shops need to consider when looking at PCI compliance.”
More in ComputerWorld Canada
Under PCI DSS, all companies that accept credit cards must comply with 12 security requirements, which include maintaining a secure network via firewall, encryption of cardholder data, and strong access control measures. The standard was developed by the major credit card companies in order to standardize credit card data protection.
With CCM, nCircle hopes to address many of the processes outlined in the PCI security rules, but according to one Gartner Inc. analyst, the tool is most applicable to PCI’s file integrity monitoring rules.
“Section 11 requires file monitoring that looks for changes on any of the systems that touch cardholder data,” Avivah Litan, vice-president and research director at the Stamford, Conn.-based research firm. She said merchants need to actually go beyond the PCI requirements on file integrity monitoring and audit continuously rather than just once a week.
“It’s really much better to be monitoring for changes continuously because an attacker can get in on a Monday, right after you run your configuration change management report, and conduct seven days of criminal activity before you even realize it,” she added.
Litan cited the widely publicized Hannaford Bros Cos supermarket data breach earlier this year – where malware was loaded onto the company’s servers resulting in the loss of several millions credit and debit card numbers. The attack was successful, she said, despite the fact that the Scarborough, Me.-based supermarket chain was fully compliant with PCI security requirements.
“This is just a theory, but had they been running configuration change managements on a continuous basis, they would have seen the attack when the malware was placed onto their payment server,” she said. “So it’s like a back-up safeguard measure. If all else fails, look for files that have been put onto the system that don’t belong there,”