VULNERABILITY MANAGEMENT IS A REQUIREMENT FOR PCI COMPLIANCE – HOW DO YOU MEASURE UP?

We read about new security vulnerabilities within software that is in widespread usage every week. As many retailers still rely on manual vulnerability and patch management processes, this can have a huge impact on PCI compliance. Chris Walsh, Sales Director at UK IT security distributor Alpha Generation explains.

An important element of the PCI Data Security Standard (DSS) requirement is that merchants/retailers maintain a vulnerability management program. As defined on the *PCI website, this includes updating software on all systems and developing and maintaining secure systems. More specifically, any major vulnerabilities found should be patched within one month to remain PCI compliant, although ideally they should be patched immediately or as soon as a patch is available in order for the retailers to remain secure. However, many retailers still rely on manual processes for this laborious task, making the requirement to patch within a month a challenge, and immediate patching a near impossibility.

Any software application running on a PC or network may contain a vulnerability through which an attack can be launched, making it vital for retailers and merchants, who may hold sensitive customer data, to ensure they keep up to date with patching. Most retailers spend considerable time and effort protecting the perimeter i.e. ensuring that PCs and mobile devices connecting to the network are what they say they are, and preventing unauthorised downloads of data. Anti-virus and firewalls help to protect against viruses, Trojans and other malware, in a reactive way. However, legitimate software can also pose a threat if it is not kept up to date, which is where a proactive vulnerability management process is critical.

Last year Secunia saw 15,435 vulnerabilities in 3,870 applications from 500 different vendors. This is up 18% from the year before and up 55% over the last five years. 60.2% of vulnerabilities showed the primary attack vector was via remote network access. In addition, a recent **Ponemon Institute study revealed that retailers struggle to identify serious cyber security attacks inside their networks. On average it took retailers 197 days to identify an attack, compared with financial services firms that took 98 days. 71% of retailers said they are not optimistic about their ability to improve these results in the coming year.

At the end of April there had been seven zero-day vulnerabilities in 2015. This is where hackers have actively exploited a vulnerability before the vulnerability is publicly known and therefore not possible to mitigate. This increase indicates that cyber crime is becoming increasingly sophisticated.  With the huge amounts of personal and card data handled by retailers, the sector is a prime target for hackers, and has much to lose in terms of reputation.

Vulnerability management is unquestionably a prerequisite for security and checking for vulnerabilities is a requirement for PCI DSS compliance. In doing so, it helps to keep the organisation more secure, which is good for business, reputation and customers.  When handled manually vulnerability management can be time consuming and made all the more difficult by the fact that many systems used by retailers, for example EPOS systems, may include third party software that the retailer has no visibility of. Add to this the possibility that some PCs may have additional productivity software added which the IT department may be unaware of, and the scale of the issue grows considerably.

To successfully manage software vulnerabilities, retailers need complete visibility of their entire IT environment, and they need to know about vulnerabilities as soon as they become known. This is an expansive discipline that cannot be addressed by technology alone, as it must include company policies, processes and verified vulnerability intelligence. If there is a threat to infrastructure, the issue needs to be resolved in the fastest and most effective way possible. If the threat is software vulnerability the retailer must determine where it will have the most critical impact and deploy a security patch quickly.

The benefits to retailers are clear. By combining up-to-the-minute vulnerability intelligence with patch management, retailers can prioritise their efforts to help ensure that they remain PCI compliant. In short, the IT department saves a lot of time that can be directed to more proactive and strategic activities that support the business.

Sources:

*https://www.pcisecuritystandards.org/security_standards/documents.php?document=pci_dss_v2-0#pci_dss_v2-0

**http://www.ponemon.org/blog/ponemon-institute-releases-new-study-on-the-efforts-of-retail-companies-and-financial-services-to-improve-the-time-to-detect-and