Nettitude Blog

PCI Data Security: Is Yours Fit For The Scrap Yard?

Posted by Media marketing on Mar 9, 2016, 10:00:53 AM

 

Figure 1: GMG Payment Card

As a motor vehicle enthusiast, I frequently watch motoring based TV shows like Overhauled, Wheeler Dealers, Fast N Loud, etc. During a recent trilogy of Fast N Loud episodes, based around the topic of Motorcycle Mayhem, I was struck by some similarities to PCI data security.  What could Fast N Loud have to do with PCI DSS (other than their eCommerce and potentially Mail Order Telephone Orders (MOTO) and Face To Face (F2F) operations) I hear you cry!

These episodes demonstrated the need for applying specialist skilled personnel to their appropriate job roles. The team were challenged to create their own custom motorcycles. During the show, each of the team members (mechanics, paint specialists, fabricators, etc.) demonstrated the need for employing specialist skills to tackle specific tasks. For example, the fabricator delivered a well presented motorcycle for auction, yet the supporting mechanicals were not very good. This got me thinking about how the motor industry could relate to the world of PCI DSS.

Much like the modern motor car, PCI DSS has numerous parts which must work together to ensure that they continue to operate safely and efficiently, and require a human being to drive it safely in accordance with the appropriate legislation.

If we think of the cardholder data like the precious occupants of a car (e.g. children, pets, etc.); the owner being a company executive; the acquiring banks being the traffic police and the card brands being the judiciary, it becomes easier to comprehend how this all fits in together.

Reference Documents Figure 2: Reference Documents

The 300+ controls within PCI DSS represent a suite of controls, much like a Haynes Manual and the Highway Code.  Following the instructions within these documents assists organisations to adhere to various legislations and to remain safe. Here we’ll look at the goals of PCI DSS, and some of the parallels between the underlying technical systems of card security and similar systems and principles in the world of motoring.

Goal 1 – Build and maintain a secure network and system
This represents all the supporting infrastructure that enables the parts to inter-connect and operate (like the chasis, wiring and suspension of a car), as well as the changes and checks that need to be carried out against any attached system components (like oil, fuel, brake fluid and tyre inflation checks).

Goal 2 – Protect cardholder data
This is comparable to ensuring that a vehicle is secured , the doors lock, keys are operational and that the safety and security components like seat/safety belts, airbags and brake lights remain functional.

Goal 3 – Maintain a vulnerability management program
This relates to managing the effectiveness of the component parts of a car and ensuring that any new additions to the vehicle are approved and are fit for purpose.

Goal 4 – Implement strong access controls
This can be likened to making sure that only authorised people are given access to a vehicle, both drivers and passengers.

Goal 5 – Regularly monitor and test networks
This is like carrying out regular vehicle inspections and servicing, ensuring that any warning lights illuminations or irregular activities are investigated .

Goal 6 – Maintain an information security policy
Anyone given access to a vehicle as a driver or a passenger are subject to regulations which dictate what is and what is not acceptable (e.g. wearing of seat belts, not using a mobile phone whilst driving, adhering to the relevant speed limts, etc.)

Systems Diagrams. Figure 3: Systems diagrams

Anyone considering the purchase of a vehicle needs to ensure they can afford the associated running costs (e.g. fuel, tyres, regular servicing, annual MOT, tax, insurance, etc.) and not just the initial cost of buying the vehicle, itself.  It is much the same for any business wanting the responsibility to take payments by debit or credit cards.

Some of the maintenance jobs are easier than others, some of which need to be carried out by skilled or specialist personnel.  Therefore, it is essential that these jobs are allocated to suitable qualified internal or external resources (e.g. outsourcing penetration testing, ASV, Vulnerability Scanning, Data Centre Operations, etc.)

Additionally, as businesses mature, their card payment operation is likely to evolve, which you could compare to Porsche’s evolution of ‘the People’s car’, the VW Beetle, into their 911.  Accordingly, the associated risks need to be actively identified and managed.  For example, when Porsche took the basic VW beetle, it is unlikely that it just reskinned it and upgraded the engine without considering the impact this would have on the vehicle’s other operations like the steering, suspension and brakingSteering, Braking, Suspension, etc.).

Cutaway Beetle-Porsche 911 Figure 4: Cutaway Beetle/Porsche 911

Comparing PCI DSS to the world of motoring and vehicle maintenance helps us to see that, without  the correct approach and appreciation for procedures there will be a greater chance of failure.

For more information, visit: https://www.nettitude.co.uk/

 References

 

To contact Nettitude’s editor, please email media@nettitude.com.

Topics: Security Blog, Uncategorized

About Nettitude

Nettitude is the trusted cyber security provider to thousands of businesses around the world. We stop at nothing to keep your data and business secure in an age of ever-evolving cyber threats.

Our experts use an award winning Threat Intelligence led approach that incorporates real-time data, ensuring that your company is protected at every stage of its journey.

Subscribe Here!

Recent Posts