The Business as Usual”compliance expectations of PCI DSS 3.0 are even more complicated than previous iterations of the framework to protect payment card data. But don’t be afraid to take the leap now; compliance will become even more difficult as the bar for data security keeps rising.

BusinessAsUsual

It all boils down to perspective. Compliance isn’t meant to be achieved in a single shot to pass an audit. Compliance must be an ongoing state. Sure, automating security controls to achieve continuous compliance will be hard, but it won’t be complicated – actually, it will be a lot easier – with the help of an expert such as Ipswitch.

PCI realized it had to constantly tighten regulations to provide even better protection to consumer data. That’s why 3.0 mandated a shift Business as Usual, forcing you to adopt continuous compliance; the focus on repetition and consistency aims to usher in a shift in corporate culture. Put simply, if your organization doesn’t adopt the practice of continuance compliance – 24 hours a day, 7 days a week, 365 days a year – it is bound to fail.

As the Security Architect for Ipswitch, I defined our security and compliance polices, standards and procedures because we had to achieve PCI certification for our cloud offering.

To navigate Business as Usual, you as a security architect have to partner throughout your organization. If you want to be compliant, you have to create goals, standards and procedures that demonstrate your tools will map to PCI 3.0 regulations.

You chartered to build and maintain a secure network, protect cardholder data, run a vulnerability management program, implement strong access control measures, and regularly monitor and test networks. That may seem like a tall order, but we’re here to help you do it.

It’s important to get executive buy-in to implement PCI strategies that are aligned with documented policies and standards. You’ll have to work with IT to ensure that automated procedures are in place that minimize their time and effort in monitoring and enforcing those standards. And, often last but certainly not least, work with everyone as the resource responsible for guiding the overall audit process to success.

Implementing BAU has the potential to complicate your ability to measure compliance with your organization’s PCI policies. Understanding, and staying in front of, the seemingly constant refinements from PCI will help you choose the right technologies that will support the shift to “Business As Usual”.

PCIDSS-ondemand-FB-1024x536
Learn more about simplifying PCI DSS 3.0 policies, standards and procedures by checking out “The Impact of Business as Usual” webinar replay to get you started toward continuous compliance.

These new expectations come as auditors are becoming more rigorous, and testing that your security procedures are ingrained in day-to-day processes across the organization, instead of being an annual effort just to pass an audit. They want to see if your organization has a security-aware culture. With these challenges, it shouldn’t be a surprise that only 20 percent of organizations were fully compliant on their Initial Report on Compliance, according to a Verizon study of 3,000 PCI DSS assessments in a three-year span ending 2014.

Those compliant organizations understand that Business as Usual will simplify – and not complicate – PCI compliance and the audit process. They know the key to simplification is that the use of automated security controls will provide continuous compliance. Automated controls reduce the time and effort spent on PCI procedures and make “one and done” compliance attempts an everyday occurrence, an ongoing state.

>> Learn more about simplifying PCI DSS 3.0 policies, standards and procedures via a webinar I recently participated in. It’s called The Impact of Business as Usual and hopefully the replay gets you started toward continuous compliance.

>> And be sure to engage with us next month during the Ipswitch Innovate 2015 User Summit, a two-day (October 21-22) online only event for IT professionals to learn from each other, and our product experts.

innovate-LI-800x800
Ipswitch Innovate is a two-day online only event for IT professionals to learn from each other, and our product experts.


 

The Ziff Davis survey on Managed File Transfer did a nice job amplifying the aspects of currently deployed file transfer methods people think need the most improvement.

Checking in at #1 and #2 on the “improvements needed to my existing file transfer methods” list are SPEED and SECURITY.  This only fuels the age-old debate of productivity versus security… But that’s a topic for another day!  Needless to say, it’s not surprising that about half of survey respondents say that they need faster file transfers and roughly the same amount say they require stronger security.

Other items on the “improvements” wish list include:  reliability, capacity, scalability, central management, workflow integration, IT infrastructure integration and compliance.

It’s validating to see in the graphic that areas where MFT solutions excel today closely map to those aspects of existing file transfer methods that people say require the most improvement — Reliability, speed, security, up-time and capacity round out the top five.  Efficiency is a common theme with all these items, driven largely by time-sensitive business-critical processes and even SLAs depending on fast and highly available file transfer processes and workflows.

The last point I want to make about the “needs improvement” survey results is that no solution (MFT or other) will magically make a company compliant.  There is no holy grail to achieving regulatory, regional, industry or corporate compliance.  Rather, compliance is the end result of a strategically implemented, documented and monitored initiative that encompasses the entire arsenal of company-sanctioned policies, tools, and of course processes and employee actions.

Coming soon:  I’ve got a few more musings about the survey that focus on deployment challenges as well as the business benefits of MFT.

835UVUTMM99Z

I just returned from the PCI Security Standards Council .  It was great to spend a couple of days talking tech and trends with other security experts.

The hottest trend this year in the payment security industry is “tokenization”.   This technology lifts credit card numbers from sets of data and replaces them with unique one-way tokens (e.g., “234cew23”) in the data instead.  The original credit card numbers are stored in a “secure token vault” and may only be retrieved by authorized people and processes who present another set of credentials (preferably two-factor credentials).

The reason businesses find tokenization compelling is because PCI requirements state that data sets with credit card numbers must be treated with more care than data sets without that information (e.g., just your name, expiration date, etc.).  The higher degree of care often translates into full encryption, good key management, regular key rotation and a host of other security controls.  All these extra controls cost money, so if businesses can ratchet down the sensitivity of their data with tokenization, they can enjoy cost savings by not having to implement (or audit) other security controls.

Anyone buying in at this stage would be an early adopter: the Council has not yet endorsed the use of this technology.  However, the Council has formed a working group to come up with specific guidance (e.g., are hashes OK, if so, which ones, are unique IDs OK, etc.), so some level of future acceptance seems likely.  So far the working group has only provided a definition of the technology (essentially, the one I provided above).   However, a draft recommendation from the Council with specifics is expected around the new year.

Tonight I’m blogging from the PCI Council Community Meeting here in Orlando, FL.  Tomorrow we’ll be talking about the new changes in version 2.0 of the PCI DSS audit requirements (set to go into effect in 2011), but tonight was the welcome reception for the 1000 attendees here at the Buena Vista Palace Hotel.

Participation in the PCI Council Community Meeting conference is on the rise.  Two years ago there were about 500 attendees from 300 participating organizations – now the numbers have roughly doubled.  There are probably two major factors behind this.

One factor is the de facto status of PCI DSS as one of the gold standards of information security.  When five competing credit card companies came together in 2004 to publicly agree on a single security standard there was much rejoicing throughout the industry.  And the standard has held up: though major releases have come every two years, the original twelve categories and most of the subcategories remain essentially unchanged from the original.

The second factor is the ever-widening circle of companies that fall under the scope of PCI compliance.  Originally it was large credit card processors and retailers, but in recent years even companies that only handle a few dozen credit card transactions a year have had to take notice.  And as the scope widens, there are more people who want their voices to be heard in the decision-making process, which is where this week’s conference comes in.

I’ll be posting a few more items about this conference in next few days – please stay tuned.

Ipswitch’s Jonathan Lampe will be attending this week’s PCI Security Standards Council Community Meeting in Orlando, FL.  He’ll be blogging from the event to keep us updated on discussions about the new PCI DSS 2.0 and other key Council initiatives.

As part of their ongoing mission, The PCI Security Standards Council enhances and evolves the PCI Data Security Standards as needed to ensure that the standard includes any new or modified requirements necessary to mitigate emerging payment security risks, while continuing to foster wide-scale adoption.  We anticipate some very interesting forum conversations to review and discuss how the PCI DSS should evolve with this next release.

In the meantime, thought you’d want to watch this great video from the PCI Security Standards Council website.  BTW, the bearded singer is Bob Russo, the PCI Council’s General Manager.  Great job with the video Bob!

Here’s a nice write-up of one of our newest customers, Salary.com

Every once in a while we like to showcase an exciting new customer and share some of the reasons why they chose to deploy an Ipswitch File Transfer solution to solve their business problems.

Quick background on the business need:

Salary.com exchanges data with thousands of customers and partners daily worldwide.

They sought a flexible, highly available solution that could simplify business operations and meet compliance regulations including SOX, PCI DSS, HIPAA and other state laws around employee privacy.

Security & compliance requirements were driving factors:

“It’s an imperative that our file transfer services maintain our rigorous requirements for keeping our clients’ critical business data secure,” said John Desharnais, managing director of technical operations at Salary.com.

And here’s some insight into their purchase decision:

“Salary.com reviewed several solutions, but selected Ipswitch’s MOVEit suite because of its comprehensive approach to managed file transfer, ability to provide an end-to-end audit trail and granular controls that monitor how files are moved, accessed, and used.”

“Ipswitch’s MOVEit solution is easy to use and ensures that we have complete visibility into all file transfer activity on our network.”

Salary.com, welcome to the Ipswitch family and we look forward to a loooong relationship together.  As your business needs continue to grow and evolve, Ipswitch will be a trusted partner that will continue to bring innovative solutions to market.

GT News, an association for financial professionals, just posted an article on managed file transfer titled “Data: Transferring the Burden Under PCI DSS” written Jonathan Lampe, VP of Product Management at Ipswitch.

“When evaluating for data security technology, a company should look at four categories: confidentiality, integrity, availability, and auditing. These headlines are designed to assist in assessing whether a data technology or process is likely to provide one-time compliance for the purposes of PCI DSS.”

This article is a very informative read for people living/coping with PCI DSS compliance and looking for a detailed application of MFT solutions to the 12 PCI DSS requirements.  It’s also a good read for people that simply want to know more about MFT and want to learn about Jonathan’s framework for evaluating data security technologies.