How PCI Compliance Helped an International Airport Avoid Potential Disaster

The Payment Card Industry Data Security Standard (PCI DSS) has been in existence since December 2004.  It was created by the major card brands (Discover Financial Services, American Express, Visa, and JCB International) to protect credit card transactions and cardholder data. Here we are 15+ years later, and while great strides have been made, there is still a huge gap in companies that attain and/or maintain compliance.  According to a Verizon 2019 Payment Security Report, it was revealed that in 2018 only 36.7% of businesses are fully compliant with PCI DSS. Even more discouraging is that this rate represented a decline from the previous two years, since in 2016 the average was 55.4%, and in 2017 compliance dropped three points to 52.4%.

The State of PCI Compliance

This should be a great concern as the PCI Security Standards Council continues to levy significant fines for non-compliance and more importantly, overall security of the network is at risk.

The Common Problem of Limited Resources

As a case in point, we engaged with a large international airport, who was significantly out of compliance with the standard in 2018.  Our team worked with the organization for over a year to help them become compliant in many areas of their Governance, Operations, and Technical (G.O.T.) requirements.  As with many clients we work with, they didn’t have resources to dedicate to information security. The limited IT resources there had to focus on operational tasks of keeping systems running and people connected and productive.  There was a limited focus on security, and shortcuts in security were frequently taken to get new systems online or to make the life of IT administration easier.  

Importance of Governance, Operations, and Technical PCI Requirements

The Governance layer is a key component of maintaining a secure environment.  A well-designed Information Security Policy will address the necessary aspects of information security that should be implemented and followed by the Operations and Technical layers.

Operations documentation or Standard Operating Procedures (SOPs) are often overlooked and not formalized (i.e., written and approved by the organization’s senior leadership).  The policies and procedures are typically ad-hoc (i.e., practiced but not formalized), socialized, and don’t provide consistency for the organization – especially if there is turnover with the IT staff.  Many documents become stale and are not reviewed regularly to accommodate for changes in the environment or regulation updates. 

Most compliance programs focus on the Governance and Operations components to evaluate how well the technical controls are implemented.  While words on paper won’t stop a cyber-security threat, they will help ensure the organization’s personnel are aware of what appropriate measures are expected to be taken to protect the environment.

The Technical layer of G.O.T. is one that is most complex as it deals with many diverse and interrelated components.  To choose appropriate security solutions and effectively manage them is most impactful to an organization’s budget.  There are many excellent solutions for managing security and threats, and there is not any one silver bullet that will stop threats from happening (other than unplugging from the Internet but that is not an option for today’s business).  

Helpful Suggestions and Observations

For those organizations that don’t know where to start, the following issues should be considered a priority:   

1. If you don’t do anything else, you need to implement a Vulnerability and Patch Management process.  This is the most common way that systems are compromised through exposing vulnerable systems directly to the Internet or by malware introduced by email phishing or browsing compromised websites being able to take advantage of vulnerable systems.  Also remember it is not just operating systems, but third-party applications like Adobe, Java, etc. that need to be patched regularly.  You should also run vulnerability scans on a regular basis to validate that the patching process is effective.  Patch, Patch, and Patch and Test, Test, Test!
2. To guard against potential attacks, perimeter security is key.  A firewall is only as good as the person who maintains it.  Poorly designed access control rules will expose the organization to unnecessary threats from the Internet.  The lack of a secure DMZ is most often the first sign of trouble.  Knowing what kind of traffic is going in and out of the network is also key and monitoring that traffic with an IDS/IPS and WAF will allow for better blocking of malicious activity.  Proper segmentation is another area that can protect the organization’s important information assets, like cardholder data, sensitive or confidential information, etc.
3. Securing each workstation or device is the next key, and the typical Antivirus is not enough.  Being able to detect and control improper behavior by an end-user or malicious app is important with the sophistication of today’s attacks.  Being able to communicate these activities to perimeter systems and automate the isolation of an infected system is huge to stop the spread of malware or an attacker in the environment.
4. Organizations should protect the keys to the kingdom by managing privileged accounts with a Privileged Access Manager.  This is often an area that is overlooked.  IT administrators often use a login account with Domain Admin privileges for their day-to-day account.  Local system admin accounts often use the same password across all systems, and if an attacker can discover that password on one system, they can easily move laterally in the environment.  Often passwords are not complex or changed on a regular basis.  And keep in mind just about every device connected to a network has a local admin account and their default admin passwords must be changed before connecting them.
5. Finally, organizations should ensure that they are logging all the critical event log activities from network devices, domain controllers, servers, workstations, and security systems into a centralized logging system (SIEM).  But just logging the data is not enough.  Organizations need to analyze and understand that data and what is happening in and on their network.  Threat analytics and alerting should be employed within the system, and someone needs to be responsible for watching and maintaining the logs daily, if not 24×7.

The Results of Our Remediation Team’s Work

Back to the airport.  We completed the project, and they obtained their PCI certification.  Just weeks after their report was issued, their main website (not in scope for PCI) was compromised due to a web app vulnerability.  Using the processes and technology implemented for PCI, they were able to detect and shut down the attack before any significant damage was done.  Without having gone through the PCI remediation efforts, it is very likely that the attacker would have been able to traverse their environment and there is no telling what they would have been able to do or how long they would have been able to ‘live’ in their network.

The moral of this story is that it is not just compliance with a standard that should be the goal of information security, but also to review the organization’s overall risk by evaluating their G.O.T. strengths and weaknesses to enhance their security maturity so that the organization is better prepared to handle the myriad of threats that face their Information Systems.