Returning from the PCI Conference - a back to basics moment

Published: 15 July 2016

Catherine Jamieson, PCI Compliance

By Catherine Jamieson

We're just back from the PCI conference, and sometimes it's worth going back to basics:

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment. Launched on September 7, 2006 the goal of the PCI DSS is managing the ongoing evolution of the Payment Card Industry (PCI) security standards with a focus on improving payment account security throughout the transaction process.

The area that we focus on, Privileged Access Management, is well understood in this sector and personalised privileged accounts are predominantly well managed.

Privileged Access Management of Generic and Built-in Accounts

The importance of knowing who did what and when is critical both for audit trails and to confidently demonstrate compliance. Unfortunately the control can lapse when generic, default, or built in systems are taken in to account. A key issue here is the number of accounts that exist and keeping a record of when they are created, how they are used, and when they are (or should be) deleted. One particular area where these accounts can be easily lost is at the help-desk. Also known as first line support, these accounts tend to be created to deal with a particular issue or problem, or are assigned to contracting members of the team retained to support specific projects only. Easy to change, these passwords are often amended several times over the life of the PCI system's operation so monitoring them becomes even more challenging. Take in to account that such short term support projects are often in response to peaks in business demand, rather than ongoing needs, and you'll also appreciate that a number of these are also outsourced to third parties or temporary staff members. It is here that PCI policies are most at risk of being breached - unintentionally or otherwise.

In order to retain control and remove all risk of a data breach it becomes critical to separate the user from the system credentials. Even with the best intentions passwords can be shared on a temporary basis to 'help' a colleague access an element of the system under pressure with a deadline or to resolve a pending crisis that needs team involvement or specialist support. Consider now that these credentials are shared with third parties that have no long term responsibility to the business and you quickly find the scale of the problem increasing exponentially.

Osirium tackles this issue by enabling the organisation to map requests made in the system for access via these generic accounts. It then gives the business complete visibility of how the system is accessed as opposed to simply knowing that the account was used. In addition further control elements can be added, such as change or incident tickets, which would require the user to quote a valid incident or reference number, with the cycle completed with details of 'why' access was requested being recorded. Becomingly increasingly compelling in this space is the ability to offer session recordings. Sessions can be reported against to reveal exactly what happened on the system, device and application. Not only does this deter the internal hackers but also ensures that increased attention is paid by the user, typically resulting in better quality outcomes.

Looking again at the use of such generic accounts, most businesses will agree that these are created in order to complete specific tasks that whilst required regularly do not need to be completed by a specific individual - leading to passwords and access details being shared across a wider team. To tighten up security in this area, such repetitive tasks and sequences can also be automated in Osirium - removing the need for anyone to share a password as access rights are agreed and assigned to the individual, rather than by shared tasks.

Remove the user's need to log in, and you've removed associated risks - no wandering, no sharing passwords and no forgotten accounts left accessible - which in turn reduces the risk linked with external unauthorised access. Osirium gives you auditing capabilities, complemented by reporting and tracking metrics that can help improve your PCI workforce and demonstrate systems are secure. At a time that reputational risk is as much of a business concern as financial risk is, why lock your front door when at the same time you're leaving a back window open?

Release Date: 
Friday, 15 July 2016
Article Type: 
Blog Post
Catherine Jamieson