Schooled on PCI Compliance

Many people in the retail industry think compliance with PCI Data Security Standard pertains only to traditional retailers. But any organization that handles card payments for retail sales must comply with PCI DSS, and their issues can be as complex — even more complex — than retailers’.

Take the University of Houston. It operates 43 different retail-related businesses that accept credit and debit cards, ranging from book stores and food service to athletic ticket sales and medical facilities. Because the campus businesses are so diverse, the POS terminals and other hardware used to operate each business are often configured differently and have different security issues. As a result, making sure that the school’s payments network and connected devices are secure and adhering to safe payment standards can be quite difficult.

The university learned this lesson the hard way: Its payment network was compromised three years ago, and the ensuing audit provided a real wake-up call.

“There were a lot of onerous issues related to reporting, verifying information and examining configurations that we had to take into consideration,” says Charles Chambers, manager of network planning and devices for the University of Houston. Essentially, the university had to identify each piece of hardware and software that operated on its payment network, how every component on the network operated and what its individual potential security threats were before it could verify if they met the standards for safe payments.

Complicating matters was the fact that, while most of the businesses use dial-up POS terminals, about a half-dozen businesses operate on a shared DSL network line.

After what Chambers described as “several false starts” in trying to put together an audit trail on its own, the university began utilizing the NetMRI audit tool from Netcordia. NetMRI is a stand-alone network solution that automatically provides discovery, identification of topology and assessment of network health and issues related to industry best practices like PCI compliance.

“We had been doing a lot of the work manually, but using the NetMRI audit tool allowed us to lower the cost of managing PCI,” Chambers says. “Now, we don’t have to conduct an audit that involves examining [the entire network] device by device, log by log and configuration by configuration. We get one report that we can look at to see if there are any areas of security we need to examine more closely.”

NetMRI will detect issues with an interface or hardware unit and issue an immediate report. With such information in hand, the university was able to pass its PCI audit in 2007 and has remained in compliance since.

PCI compliance involves a number of stringent IT infrastructure and security policy requirements for all businesses that store, handle, access and transfer cardholder data. Among the greatest challenges to compliance is monitoring and managing specific network requirements, involving security firewalls, access and change controls, system updates and configuration changes, testing procedures and security policies. Although PCI is not a legal requirement, the card associations require compliance and can levy fines up to $500,000 to retailers and service providers that fail to comply.

Automatic updates
PCI standards are constantly evolving, and NetMRI is able to adapt and keep up with the latest requirements and changes, Chambers says. Additionally, as new POS terminals are added, the system automatically incorporates them in the audit trail and addresses their security status.

The university’s situation is typical of what Netcordia has found at large retail chains, says Eric Gilbreath, network analysis product manager for the Annapolis, Md.-based company. Like many retailers, the university found trying to keep track of a large number of payment-related devices was a “full-time job. They had a host of challenges with looking to authenticate the application of standards across a broad network that included multiple devices,” he says.

Even retailers that believe their challenges won’t be as difficult because they do not have multiple hardware systems may find that that is not the case. “We’ve talked to some retailers that say, ‘We’re an all-Cisco environment so it should be simpler,’” Gilbreath says. “But then we find out they’re not all Cisco after all. They might have all Cisco routers, for example, but at the end point, there may be several different vendors providing wireless systems that have to be accounted for.”

And there are a lot of operations “that assume that because they are not a retail store, they don’t have to comply with PCI,” he says. “But that is just not true.”

Out-of-the-box program
In addition to the potential for being fined for being out of compliance with PCI, businesses face other challenges if their payment networks are not fully secure, Gilbreath says. Security breaches or mishandling of payment information can result in litigation or damage to a retailer’s reputation, and there can be down time or lost revenue as the result of a need to remedy potential security problems.

NetMRI is an out-of-the-box program that can be modified to fit specific applications. “Within 45 minutes of installing this system, a retailer can have it up and running smoothly and then begin to modify the application to fit its needs,” he says. The solution plugs directly into a network and operates in a non-intrusive manner. It produces browser-based reports that are automatically generated as issues arise.

Among the compliance issues that NetMRI addresses are ensuring that vendor-supplied defaults are not used as system passwords or other security parameters (this involves changing vendor passwords and disabling all unnecessary protocols) and removing inactive users from the network and routinely changing user passwords.

In addition to performing audits and issuing alerts, NetMRI also can remediate problems. “If this finds something that does not meet the PCI guidelines, it can fix the problem for you,” Gilbreath says.