I have been to several PCI Council community meetings now, and I am still amazed at some of the questions that are asked in the general sessions. Clearly more clarifications are needed to the PCI DSS guidelines, because a lot of folks still don't understand which requirements apply in certain situations and what controls will satisfy the intent. I suppose that is what happens when you roll out a standard that encompasses such broad reach.
As an example of misapplying guidance, one retail organization said they are planning to implement Air Force-level standards for their network security. Unless this retailer is planning to launch missiles, this is a good example of why it doesn't make sense to apply the same control levels to every business. A retailer's environment is very different from that of the Air Force, and they have different processes and risks.
The same logic applies to PCI. The PCI Council created a standard that applies to many different business situations with unique business processes and environments. The standard is meant to apply to everyone, but not everyone understands what applies – and what does not – to their specific business needs.
This illustrates why it is important for a Qualified Security Assessor (QSA) to have broad experience in various industries and have a good understanding of the whole business that is being evaluated to properly assess the environment. Even though PCI is a minimum standards model, it is still important to take a risk-based approach when applying it to your business. Each individual requirement – and there are more than 200 of them – should demand a mini risk assessment. The focus should be on what the requirement is trying to prevent and how to mitigate that risk. For this to happen, a QSA needs a strong technical background and a good understanding of the intent behind the requirements.
Now on to what I learned at the community meetings. The first topic was one that some merchants may have dealt with previously, but I had not run across it until the community meetings: a website that contains a link to a payment processor is not automatically out of scope. The link should be examined more closely to see if there is more going on there. Does the link create a cookie that is passed to the payment site? Does the payment site pass back a confirmation? How connected are the two websites? There may be opportunity to abuse business logic, perform session tampering, or manipulate functionality, so it should not be assumed that the forwarding website is automatically out of scope.
The next topic had to do with File Integrity Monitoring (FIM). This has long been a thorn in the side of merchants and service providers to implement. Some options are expensive, and it is not the easiest piece of technology to configure. The intent of FIM is to detect changes to critical files. This is a 'last ditch' effort to detect any improper file behavior when all else has failed. In the security industry, we always want to prevent what we can and detect everything else, so if you can prevent changes to your critical files, wouldn't it be better? Preventing these changes should be the role of the Operating System (OS), and Microsoft added this functionality with Windows 2000 and XP. Windows File Protection (WFP) covers all files which the operating system installs (such as DLL, EXE, SYS, OCX etc.), protecting them from deletion or from replacement by other versions.
The key to using this as a compensating control would be to ensure that this feature is active and that it is logging and included in your daily log review. This should include Event ID: 64001 which is an attempt at file replacement. For newer operating systems that do not have WFP, consider host-based IPS and host-based firewalls.
These days, endpoint protection is generally consolidated into a single software solution that includes antivirus, HIPS, anti-spyware and host-based firewall protection. If you have a network-based intrusion prevention system (IPS) and firewall already, a host-based IPS and firewall is above and beyond the other requirements and can satisfy compensating control requirements. This can be a much simpler solution than dealing with FIM requirements. Keep in mind that security and subsequently compliance is a matter of configuration and process, and not a tool.