From TJX to Heartland Payment Systems to the latest major ID theft scams, there is no shortage of calls to strengthen the security of organizations holding personally identifiable information (PII), including credit cardholder data (CHD).
The new Nevada data protection law will require organizations to use encryption when data storage devices are moved beyond the physical or logical controls of the business. It mandates that as of January, entities must comply with all Payment Card Industry Data Security Standard (PCI DSS) controls, not just encryption.
But with so much emphasis on PCI DSS -- Heartland, for instance, was "compliant" with PCI before its data breach -- how do companies work with PCI DSS to be secure at the same time? Should other security standards, such as the ISO 27000 series, be used?
The prioritized approach for PCI DSS 1.2 is one that allows entities to focus on "milestones," which intend to put a priority order according to which security controls must be addressed. The PCI Security Standards Council states that such control identifies the highest-risk targets and enables merchants to demonstrate progress on compliance to key stakeholders. Milestones are as follows:
- Remove sensitive authentication data and limit data retention.
- Protect the perimeter, internal and wireless networks.
- Secure payment card applications.
- Monitor and control access to your systems.
- Protect stored cardholder data.
- Finalize remaining compliance efforts, and ensure all controls are in place.
In the context of protecting CHD, the first out of nine listed controls in the first milestone is a requirement for a current diagram covering all connections to CHD, including wireless networks. As a security professional helping organizations prepare for assessments such as those carried out by Qualified Security Assessors (QSA), I always recommend a current ecosystem diagram showing all the stakeholders with access to corporate data (any type of PII including CHD), and network and dataflow diagrams. This demonstrates that the organization knows what data it handles, how it handles it and how data flows. Having those diagrams in place tends to confirm to QSAs that the entity is in control of CHD security.
Nonetheless, while requirement 12.1.1 states that entities must "establish, publish and maintain a security policy that addresses all requirements of PCI DSS," all other requirements of high-level requirement 12 are in milestone six, which could be seen as not being in line with security best practices. This might send confusing messages to the untrained security administrator because best practice security advice and QSA feedback require all PCI DSS policies and procedures to be in place from the outset. All best practice security frameworks start with security policies and then suggest technical controls and operating procedures to support and implement the policies.
ISO 27000 and risk-based approach
One of the standards that has been "compared" with PCI DSS is the ISO 27000 series, focusing on the information security management system of ISO 27001 and the controls suggested in ISO 27002.
The ISO 27000 series can help address the ongoing management of PCI DSS compliance. This is the end game -- to achieve and continually maintain compliance with security standards.
The scope of ISO security standards is wider than that of PCI DSS. For instance, PCI DSS entities are limited to organizations transmitting, processing and storing CHD, whereas the ISO 27000 series could apply to any organization that wants to implement a security framework to protect personal or business-sensitive data -- for instance, PII in the U.S. or subject data in the European Union.
By using ISO 27001 and ISO 27002, organizations can implement a security policy and maintain an asset registrar and an ongoing management process. ISO 2700x also covers personnel security, the organization of information security, human resources security, physical and environmental security, communications and operations management, access control, systems development and maintenance, security incident management, business continuity management and compliance with applicable legal and industry security standards.
ISO requires a risk-based approach with a risk assessment and treatment plan (ISO 27001 4.1). With PCI DSS, the risks are somewhat easier to predict as the payments industry has indeed documented the risks around processing, transmitting and storing payments transaction and associated data. While each organization has its own infrastructure and associated security challenges, risks are fairly easy to categorize, and controls required by PCI DSS tend to allow treatment of such risks. If not, organizations can use compensating controls that need to be at least as strong as the intent of the original control. This notion is not present in ISO 27001 because it is more flexible in terms of scope, controls, compliance and enforcement.
Vendors including Symantec Corp. and Siemens Insight Consulting have tried to map PCI DSS to ISO 27001/2 and vice versa. At a basic level, security standards require policies and procedures, technical solutions and specific settings and user awareness training. ISO 27001 has a 15-part structure and is the actual framework, including policies, procedures, work instructions and records documents. ISO 27002 covers the actual security controls to follow. PCI DSS has a 12-requirement structure including, policies, procedures and controls. It does not really provide security documentation formatting guidance.
Both standards put strong emphasis on physical security controls (Requirement 9 in PCI DSS; 9.1/9.2 in ISO) and access control (physical and logical), as well as ongoing monitoring of security systems and logs (Requirement 11 in PCI DSS; 13.1/13.2 in ISO). They also both provide for a vulnerability management program (Requirement 6 in PCI DSS; 12.5/12.6 in ISO).
However, it is worth noting that the areas of business continuity and disaster recovery, third-party security management and security incident management are probably better covered in ISO 27001. In contrast, PCI DSS probably provides clearer guidance on encryption and human resources security aspects, with controls 12.6 and 12.7 requesting that all in-scope employees be trained at least annually and that security checks be conducted for staff members with access to CHD.
PCI DSS was accurately described by PCI Security Standards Council director Bob Russo during testimony before a House committee as a set of minimum security requirements. "Organizations must not take solely a checklist approach to security, or rely on periodic validation on a specific day as their security goal," he said. The ISO 27000 series can help address the ongoing management of PCI DSS compliance. This is the endgame -- to achieve and continually maintain compliance with security standards.
Mathieu Gorge is CEO of VigiTrust Ltd. Let us know what you think about the story; email: firstname.lastname@example.org.
This was first published in September 2009