View PDF of this issue - The Green Sheet
View PDF of this issue - The Green Sheet
View PDF of this issue - The Green Sheet
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
67<br />
Education<br />
Unauthorized or improper access to cardholder data and<br />
systems is punishable by management actions up to and<br />
including immediate termination.<br />
more on confronting the <strong>issue</strong>s raised by Requirement 7<br />
and doing the right thing, rather than on attempting to<br />
avoid the <strong>issue</strong>. With two main aspects to Requirement 7,<br />
there are two main sets <strong>of</strong> actions called for:<br />
1. <strong>The</strong> right policy and process framework<br />
Merchants must have a formal security policy that<br />
explicitly lays out a statement <strong>of</strong> least privilege. It<br />
need not contain fancy language or be complicated<br />
(simple and obvious is better). Something along the<br />
lines <strong>of</strong>:<br />
Access to cardholder information, and access<br />
to devices that touch cardholder information<br />
(such as POS devices) is restricted to<br />
employees who have been formally granted<br />
access permission and who need that particular<br />
access to do their jobs. Unauthorized<br />
or improper access to cardholder data and<br />
systems is punishable by management actions<br />
up to and including immediate termination.<br />
What you need to do for your merchants<br />
Again, merchants don't particularly need rescuing<br />
from technical nightmares to comply with <strong>this</strong> part <strong>of</strong> the<br />
PCI, so it should not be a significant pain point in PCI<br />
conversations.<br />
Merchants might need assistance in liaising with vendors<br />
<strong>of</strong> payment applications, POS terminals and other PCI<br />
devices. <strong>The</strong>y might also require some general advice on<br />
security and access control. ISOs can do <strong>this</strong> themselves,<br />
if they choose, but for many, it is simpler and better to<br />
partner with a security specialist as part <strong>of</strong> a broader PCI<br />
program that also deals with the other, messier, parts <strong>of</strong><br />
the PCI DSS.<br />
Dr. Tim Cranny is an internationally recognized security and compliance<br />
expert and is Chief Executive Of ficer <strong>of</strong> Panoptic Security Inc.<br />
(www.panopticsecurity.com). He speaks and writes frequently for the<br />
national and international press on compliance and technology <strong>issue</strong>s.<br />
Contact him at tim.cranny@panopticsecurity.com or 801-599-3454.<br />
<strong>The</strong> merchant also needs formal processes to grant<br />
access permissions, but they don't need to be elaborate.<br />
A small organization might establish a written<br />
rule, such as, "You don't have access privileges<br />
unless your name is on the following list maintained<br />
by the manager."<br />
That rule can then be combined with a set <strong>of</strong> rules for<br />
the manager, such as, "Only add names to <strong>this</strong> list if<br />
the person needs the access to do his or her job and<br />
seems trustworthy after a reasonable background<br />
check. Keep the list up to date; remove names <strong>of</strong><br />
those no longer authorized as soon as possible."<br />
2. <strong>The</strong> right technology to execute <strong>this</strong> access control policy<br />
Merchants need an automated access control system,<br />
which is typically much simpler than it sounds.<br />
<strong>The</strong> biggest area <strong>of</strong> concern here is controlling<br />
access to computers. All modern computers already<br />
have built-in systems for user accounts and privilege<br />
controls.<br />
In addition, all modern payment application or<br />
POS s<strong>of</strong>tware must have these sorts <strong>of</strong> access controls<br />
built in, and they should be fairly easy to set<br />
up and use. If merchants' payment applications or<br />
POS s<strong>of</strong>tware do not have these sorts <strong>of</strong> controls<br />
built in, they should upgrade their systems as an<br />
urgent priority.