PCI DSS compliance is providing a safe place for your customers to do business with us either online or within our brick and motor location. Providing this compliance will ensure that your network has a chance to avoid the publicity nightmare that has effected so many other organizations, like Home Depot and J.P. Morgan Chase. As part of being PCI DSS compliant, organizations must adhere to risk analysis. In order for any organization to handle their network security risk it is important to understand the three important areas of a risk analysis and they are confidentiality, integrity, and availability.

Confidentiality is all about letting only the allowed personal have access to that sensitive information and keeping private information private. Unsecure networks, malware, and even social engineering are all types of attacks that can compromise that important data. But intruders or the use of stolen credentials are topping the charts and have been a top ten issue for several years now. It also has been increasing in the number of case in recent years and this attack has accounted for 422 cases in 2013. Whether it comes from a Point of Sale (POS) interaction or a Web application attack the best defense is a strong password. A password should not be written down or can be found in a dictionary, but consist of upper and lower case letters with numbers and special characters mixed throughout (Verizon DBIR, 2014).

Integrity is insuring that the information and devises can only be accessible to the personal that poses the correct credentials. Principles of least privilege and rotation and separation of duties are some of the incidence that fall under this category, but insider misuse is the main problem here. This category can range from e-mail miss-delivery to disposal error. 44% of the problem is e-mail miss-delivery and this can be solved by installing Data Loss Prevention (DLP) software. This software prevents account and/or social security numbers linking out through e-mails.

Availability is the insurance that the information and/or devises can be accessed. The denial or failure to access the system can be either a man made event or a natural one. While the natural ones are the most destructive, the man made events are the most problematic and common. The one the tops the list is denial of service (DoS) attacks and to dive deeper into this area is the use of a botnet to do the dirty work. This botnet are originating from data centers that have large bandwidth capacity that can cause a DoS attack. One of these attackers was directed at a financial institution that was “97 Gbps/100 Mpps attacks” (Verizon DBIR, 2014). There are a few preventive measures that can be put in place to prevent a DoS attack and they are keep the operating system up-to-date, watch for small attacks against one service, and limit the number of people that can access the critical systems (Verizon DBIR, 2014). Network security and becoming PCI DSS compliant is a fine balance between functionality and practicality. There is always the potential for an attack from either manmade or natural one, but with a few tricks and some precautionary steps in place these attacks can be lessened or even eliminated all together. The due diligence and knowledge to safeguard the critical and essential network that we all care about can happen. It is our responsibility to limit network risks and to insure the safety of our customers’ information.

References
Verizon 2014 Data Breaching Investigation Repot. Retrieved from https://dti.delaware.gov/pdfs/rp_Verizon-DBIR-2014_en_xg.pdf

PCI SSC Data Security Standards Overview. PCI Security Standards Council, LLC. Retrieved from https://www.pcisecuritystandards.org/security_standards/index.php