PCI Security: Making More Of The Journey

As with anything where money is involved, security is of paramount importance and this is particularly true in the retail sector. Since 2006, the Payment Card Industry (PCI) Security Standards Council has been providing merchants with guidance and rules for making and tracking secure payments based on credit or debit cards. For over two years, all merchants offering customers the ability to pay for goods or services by card have had to comply with these standards.

However, despite being a well-established set of standards, PCI security is still a challenge for many organisations. Much of this is due to the pace of change within retail and how hard IT has to work to keep up with this. As new methods for making payments via smartphones or tablets have been introduced, the number of potential points where the integrity of payment security has to be assessed and maintained has increased.

At the same time, retailers also have to consider how to deal with distributed environments and managing their devices across these locations. Each time a new location is opened, a fresh set of IT equipment must be installed and made secure. This distribution of IT assets across multiple locations makes systems management a challenge in the long-term, not just when it comes to gaining compliance.

Points 4 and 5 on the Data Security Standard (PCI DSS) list require organisations to keep their systems patched and secure against attacks by both having anti-virus software in place, and maintaining secure systems. This will include keeping applications and operating systems up to date, as well as implementing updates for anti-virus, firewall and other perimeter security systems.

From a systems management perspective, configuration management goes beyond just the security products side and into wider management issues. It involves checking that all IT assets are set up and configured correctly, so that they are both secure and set up to meet company requirements. As part of this, retailers should check that their policies on access are being followed. An example here is that passwords are set up properly so they are secure. This includes not using dictionary words, and including letters and symbols as part of a ‘passphrase’ instead.

Providing more value

Keeping these systems current involves applying a systems management strategy across the organisation’s IT assets. The main benefit of this is that all the company’s IT assets are managed more efficiently, not just those that cover security. This provides long-term value back to the organisation by reducing the amount of time currently spent on IT management tasks.

Developing this systems management strategy involves a four-stage process around asset detection, assessment, remediation and protection. The detection phase involves finding any IT asset that is on the company network – this can include anything from desktops, laptops and printers through to more specific items like Point of Sale devices and mobile terminals.

Once you have a full list of IP-enabled assets, these can be assessed for patching requirements based on the OS and applications that they are hosting. As an ongoing activity, these scans can be automated in line with patches coming through from the likes of Microsoft or other software providers. This can also provide an opportunity to remove unnecessary applications and reduce the number of software assets that have to be maintained.

The remediation phase involves applying the patches that are required. Again this can be automated so that individual staff members do not have to install these manually. For retail organisations, this step can also be conducted remotely, which removes the problem of having to send staff out to keep systems updated.

By carrying out these steps, retailers can ensure that their endpoints are updated and protected. There is also a further benefit for PCI DSS compliance: systems management helps to improve auditing and allows organisations to track admin access, which is a critical part of overseeing PCI DSS. Having this complete overview of IT assets also makes it easier to report on activities undertaken to keep systems in compliance. This reduces the cost of the processes needed to prove that systems are compliant to the relevant authorities.

PCI security is a long-term requirement for businesses, but it continues to be a challenge. Keeping systems secure is necessary but organisations can realise even more benefits from their compliance investment. By reducing manual intervention and the cost to support IT assets, retailers can see better results for their own staff and in their service delivery to customers. Implementing a more in-depth IT systems management strategy can also help improve the availability and security of IT across multiple offices.

Seann Gardiner, EMEA Regional Sales Director, is responsible for running Dell KACE's operations in EMEA, covering sales and channel development as well as supporting existing customer service. Seann has moved over to managing European operations after being responsible for overseeing the KACE channel network worldwide.