For merchants still working their way toward Payment Card Industry Data Security Standard (PCI DSS) compliance, San Francisco-based nCircle Inc. is launching an auditing and file monitoring tool aimed at securing point of sale retail systems.
The company said configuration change management is crucial for organizations that need to monitor the integrity of their critical files as per PCI security requirements. The new monitoring packages will be part of its Configuration Compliance Manager (CCM).
“When you look at all the PCI requirements, many of them are done manually,” Mark Wood, vice-president of product management at nCircle, said. “File integrity monitoring is something that retail shops need to consider when looking at PCI compliance.”
Under PCI DSS, all companies that accept credit cards must comply with 12 security requirements, which include maintaining a secure network via firewall, encryption of cardholder data, and strong access control measures. The standard was developed by the major credit card companies in order to standardize credit card data protection.
With CCM, nCircle hopes to address many of the processes outlined in the PCI security rules, but according to one Gartner Inc. analyst, the tool is most applicable to PCI’s file integrity monitoring rules.
“Section 11 requires file monitoring that looks for changes on any of the systems that touch cardholder data,” Avivah Litan, vice-president and research director at the Stamford, Conn.-based research firm. She said merchants need to actually go beyond the PCI requirements on file integrity monitoring and audit continuously rather than just once a week.
“It’s really much better to be monitoring for changes continuously because an attacker can get in on a Monday, right after you run your configuration change management report, and conduct seven days of criminal activity before you even realize it,” she added.
Litan cited the widely publicized Hannaford Bros Cos supermarket data breach earlier this year – where malware was loaded onto the company’s servers resulting in the loss of several millions credit and debit card numbers. The attack was successful, she said, despite the fact that the Scarborough, Me.-based supermarket chain was fully compliant with PCI security requirements.
“This is just a theory, but had they been running configuration change managements on a continuous basis, they would have seen the attack when the malware was placed onto their payment server,” she said. “So it’s like a back-up safeguard measure. If all else fails, look for files that have been put onto the system that don’t belong there,”
Wood agreed, saying that most of nCircle’s existing customers have configured the tool to monitor their systems on a daily basis. But he added the product can actually monitor files every five to 10 minutes.
A secondary concern the tool can address, according to Litan, is the assessor reporting requirements that are placed on merchants.
“There has been a tremendous amount of complaints among the merchant community about the changing interpretations among PCI assessors on what is required to comply with the standard,” she said. “They may come in January and tell the retailer that they have to follow ten steps and then come back six months later and say that more steps are required and more servers fall under the PCI scope.”
Litan said using a configuration change management tool will help document every single change made on a system and satisfy the constantly changing assessor demands for PCI compliance reports. “Compliance is an ongoing process and you could be compliant one day and fall out the next, like we saw with the Hannaford breach,” she added.
According to nCircle, the biggest differentiator with its change management tool over competing products is the fact that it’s an agentless solution. He said both Tripwire and Solidcore require that the merchant puts an agent on the system and there are many point of sale systems that can handle.
“Plus, many merchants don’t want to rollout 10,000 of these things,” he added. “We don’t require that you put any software on the target system. We can reach out across the network, use credential access log-in, and do the appropriate calculations on the system itself without installing any software.”
James Quin, senior research analyst at London, Ont.’s Info-Tech Research Group, agreed that the product should be considered by merchants looking for PCI compliance, but argued that an agentless solution was the most effective way to go.
“Agentless solutions tend to rely on information flowing through some kind of choke point,” he said. “The information has to be read and captured at some point, so agentless solutions tend to operate a little bit slower than agent-based ones.”