For data center managers at retailers, banks and other companies that deal directly with consumer credit card payment information, complying with the Payment Card Industry Data Security Standard (PCI DSS) adds still more responsibilities to their to-do lists.
As mandated by PCI DSS, organizations must ensure the integrity and confidentiality of consumer payment card information; for data centers, that means establishing controls for all the systems that deal with such information.
Despite the work involved with compliance efforts, over the past year data centers seem to be up to the task: According to credit card payment processor Visa Inc., 77% of its large merchant customers (those that process more than 6 million Visa transactions annually) and 62% of its medium-sized merchant customers (those that process up to 6 million Visa transactions annually) had achieved PCI compliance by the end of 2007. That's a significant increase over the end of 2006, when 12% of large merchants and 15% of medium-sized merchants were PCI-compliant.
A technical response to regulations
As far as the technologies IT needs to implement to mitigate vulnerabilities with credit card information, PCI requirements are fairly explicit. The regulations mandate use of firewalls, antivirus software and encryption over public networks. The most relevant PCI requirements that involve data centers are those that involve the implementation of access controls and the regular monitoring of all devices that contain or transmit consumer payment card information.
While data centers devise policies and procedures to ensure the integrity of their systems, some have also begun to explore technical solutions in the form of change management control software. Such software automates and validates change control processes on relevant components of an IT infrastructure to prevent unauthorized changes from being made to files on servers, systems and applications.
For matters of PCI compliance, such changes involve those to files, registry keys on servers, databases, Active Directory and network devices. Vendors that offer change management products aimed at PCI compliance include BladeLogic Inc., mValent Inc., Solidcore Systems and Tripwire Inc. According to research firm Enterprise Management Associates, change management is a discrete category of systems management software that is garnering a lot of interest among organizations seeking to streamline their various compliance efforts.
Not off-the-shelf compliance
Trent Henry, the vice president and research director at the security and risk management group Burton Group, a research firm in Midvale, Utah, is skeptical of vendors that claims to provide solutions for PCI compliance. "A few years ago -- when Sarbanes-Oxley (SOX) was new -- there was a rush among vendors to position their software as SOX compliance solutions," he said. "If you look at the regulations, they are very explicit in what they require, and change and configuration control software aren't mentioned."
Jim Hickey, chief marketing officer of mValent, a provider of automation software for application configuration management, concedes that he's not aware of a single product that that can deliver PCI compliance out of the box. But Hickey said that change management tools can help organizations meet various requirements of the PCI mandate. Specifically, mValent's Integrity product tracks things like patch levels and software versions and enables the testing of patches and configuration changes prior to production.
"The whole area of change control -- of documenting the impact of changes, of ensuring signoff, back out, remediating insecure configurations, and the tracking and monitoring changes -- can help a company secure its access to systems," Hickey said.
Henry agrees, saying that change management software can mitigate potential vulnerabilities by helping to ensure the integrity and confidentiality of payment card information. "You can certainly tie compliance to change management software," he said. "If you don't have the proper change and configuration management processes in place, you are putting your IT shops at risk." Mark Diamond, the CEO and president of Contoural Inc., a business and technology consulting firm in Mountain View, Calif., goes a step further; he thinks change management tools are a must-have to achieve PCI compliance.
"Companies need to understand the compliance data they have and to log all access to that data," Diamond said. The only way to do that is with [change management] tools." And from an auditor's perspective, it doesn't hurt to have these tools. "An auditor wants to see that there's a sensible process in place for securing PCI data," Diamond added.
Henry recommends that organizations first conduct an information inventory in their data centers of where credit card information is processed, stored and transmitted. "You can then wrap change management control software around those areas," he said.
Change management control challenges
Convergys Corp., a provider of outsourced customer care, human resources and billing services, handles sensitive data from clients on a daily basis. "One of the biggest challenges for us is ensuring the integrity of the data that our clients are outsourcing to us," said Greg Allender, the director of global information security at Convergys, a $2.8 billion company based in Cincinnati.
To meet that challenge, Convergys deployed change management control software from Solidcore Systems in its data centers to ensure PCI compliance. Convergys began to roll out Solidcore's S3 Control software during the third quarter of 2007 for several application platforms.
"When we make any changes to our servers, we can detect those changes proactively," Allender said. The S3 Control software tracks changes continuously and enables Convergys system administrators to search changes in real time and reconcile actual changes with change requests. The system also validates and enforces changes in light of the company's processes and policies. Convergys has targeted about 1,000 servers that are instrumental for PCI compliance, and by the first quarter of this year, the S3 Control system should roll out to three PCI compliance environments. Enterprise-wide, Allender said specific environments particularly benefit from a more stringent change control process. "In the server realm, there are certain configuration files within an operating system, password files and database log files that we're interested in," he said. "We'd like to be able to detect changes in those files and be better at getting to the root cause of incidents." Eventually, Allender envisions building a configuration management database (CMDB) that will be fed by the change information in the S3 Control software as well as configuration data from the company's Opsware tool. (Opsware has since been acquired by Hewlett-Packard Co.). Currently, Convergys is evaluating CMDB products and plans to make a selection this year. As for challenges, Allender envisions the biggest hurdle arising from cultural issues rather than technical ones. "A lot of our systems administrators look at change management control as a big brother kind of thing, but that's not the case at all," he said. "We have to comply with the legislation that's out there and ensure the integrity of our systems." While in the past, systems administrators were accustomed to installing new applications and components on servers without a formal change management system, that ad hoc approach is no longer feasible. "It's definitely a culture change," Allender said. "But the good part of having a tool like Solidcore is that operations people who make authorized changes can prove that they have done their job."
Let us know what you think about the story; email: Megan Santosus, Features Writer .