Choosing and Successfully Deploying the Right Security Solution

With the advent of the Payment Card Industry Data Security Standard (PCI DSS), protecting stored credit card numbers is no longer optional. Any company that stores, processes, or transmits credit card information—regardless of size or volume of transactions—must secure stored credit card data or face serious consequences for non-compliance, including fines, higher transaction fees, the loss of brand integrity, and erosion of market value.
But while the PCI standard offers broad guidance—featuring rules on the proper use of firewalls, web application firewalls, computer access controls, antivirus software, and more -- encryption requirements are proving to be among the most difficult for organizations to address. And to complicate the situation even further the compensating controls defined in PCI DSS 1.1 are not fully addressing the growing threat from data level attacks.
This article will review different approaches to protect credit card data that can be combined to significantly strengthen an organization’s security posture, while minimizing the cost and effort of PCI compliance.

Evolving Data Threats
A growing number of applications perform electronic commerce, selling products, information or services in an Internet based environment. Another category of applications that also attracts hackers attention are those that deliver services on behalf of financial firms such as rewards redemption, report delivery for banks, and merchants and banks information exchanges. Unlike traditional static internet applications, many of these applications store and process information that is strictly regulated (e.g. GLB-A, SEC) and most must satisfy SOX compliance requirements.
Typically, these applications compile databases containing hundreds, thousands, or even millions of credit card accounts and personal identifiable information. For hackers, these databases represent an excellent opportunity for theft and fraud.
One major database attack vector is via the application layer. Back in the 90’s, system configuration, buffer overflow, and other platform level type flaws were all the rage, but these have become increasingly easy to manage. Economies of scale have given ubiquity and commodity status to packet-filtering firewalls, multi-platform patch management systems, vulnerability scanners, and intrusion prevention systems. But any security system is only as strong as its weakest link, so that’s what attackers look for -- up to the application and even client level, and down to the system internals and driver level. At the top level you have the world of web application attacks, where web applications are used as proxies to attack the underlying databases.
Custom web application security is different than platform security. There are no vendor advisories or patches; the burden of patching code is on the company that created the application. The attackers out there are very determined -- the sophistication of botnets and worms constantly attacking the internet demonstrate that organized crime is hiring very talented people to attack systems -- and there are fortunes being made from this kind of theft.  And criminals aren't above extortion and blackmail of highly placed insider employees, who might have access to the very routines and data you are trying to protect. All in all, it’s the stuff of system administrators’ nightmares.