Time for another PCI audit, eh? It’s pass or fail. That’s it. The worst type of scoring possible. You can get everything right and then an auditor discovers that just one device—let’s say an HVAC system—is connected to a processor on the same flat VLAN, and now that is under audit, too. Many companies fail their audits for this very simple reason.
That’s why the PCI Security Council calls out segmentation on page 11 of the current PCI 3.1 guide: “Without adequate network segmentation (sometimes called a 'flat network') the entire network is in scope of the PCI DSS assessment.”
Yowza, man! Stakes are high, too. Let’s say your PCI environment gets hacked. The costs add up. Imagine if you had 10,000 accounts:
- Notifying clients: $30 x 10,000 = $300K
- Fines and penalties: This could be anything, really. The issuing banks are fined, not the company, so the bank then turns around and passes the love back to you. You think ATM fees are crazy expensive? Let’s just toss in $50K here, it’s the average for a simple break in.
- Increased auditing: Oh yeah, the PCI folks bump you up to Level I status. Those auditors run about $25K, and you’ll need them for three years, so $75K!
- Fraud liability: Let’s say out of 10K accounts, 500 of them spent $1,000, so that’s $500K.
Not even counting the reputation loss, that’s a grand total of $925K!
Historically speaking, data loss is normally an RGE (Résumé Generating Event). As technical folks, we all know that dollars and cents override skill. So what do we do when we have to be PCI compliant? Here are three good questions to start with when looking at PCI compliance solutions:
- Exactly which PCI 3.1 test(s) can I ONLY pass using your solution?
- Which PCI tests will you help me pass with the aid of another solution?
- Which PCI tests do you validate?
Don’t let anyone off the hook. Every vendor should not only be able to tell you, BUT also have a third validation from certified QSA. This report will help BIG TIME when working with your auditors. The language used in a vendor-neutral regulation is very generic so they appear more open. Languages from vendors have been run through the ACME Marketing Transmogrifier and are very different. A third party report helps level the playing field when someone talks about decoupling this or that.
Finally, I’m all about visibility in today’s data center. I hate to see marketing slang like “you can’t secure it if ya don’t see it.” Really, Captain Obvious? If I told that little tag line to my CIO, he’d question why he didn’t see me as more of a goober than the trained security professional he thought he hired. Look, visibility comes down to point of view. Since RMON, I’ve been able to “see” the data. My viewpoint was the device out. Now, I need that viewpoint from the individual servers viewpoint so I know its relationship between itself and all devices connecting to it. No matter if they are in the cloud or not, my view should look the same. Now I can effectively isolate PCI environments and truly limit scope and reduce my risk.