PCI at a Retail Chain

This case study covers how PCI Requirement 11 was dealt with at a large retain chain in US Midwest.The Unnamed Retailer, Inc. did not perform any periodic network vulnerability scanning and didn’t employ the services of a penetrationtesting firm.Their IT security staff sometimes used the freeware tools to scan a specific system for open ports or sometimes for vulnerabilities, but all such efforts were ad hoc and not tied to any program. Upon the approach of PCI compliance deadline, the company had to start the scanning using the PCI-approved scanning vendor every quarter.

They chose to deploy a service-based vulnerability scanning from a major vendor.The choice of vendor was determined after a brief proof-of-concept study. Initially, they suffered from having no information or no knowledge of their vulnerability posture to having too much, since they decided to scan all the Internetfacing systems. Later however, they reduced the scope to what they considered to be “in-scope” systems such as those processing payments (few of those systems are ever visible from the internet, however) and those connected to such systems.

Later their scanning vendor introduced a method to scan the internal systems, which was immediately utilized by the retailer. However, it turned out that finding which internal systems are in-scope is even more complicated, since many systems have legitimate reasons to connect to those that process credit card transactions. For example, even their internal patch management system was deemed to be in-scope, since it frequently connected to the transaction processing servers.

As a result, their route to PCI vulnerability management nirvana took a few months following a phased approached. Implementation followed the following route:
1. All Internet-facing systems that can be scanned
2. A smaller set of Internet-facing systems that were deemed to be “in-scope”
3. A set of internal systems that either process payments or connect to those that do
4. From there, the company will probably move to scanning select important systems which are not connected to payment processing, but are still critical in their business.

Even though the organization chose not to implement the intrusion detection earlier, their PCI auditors strongly suggested that they look at some options in this area.The company chose to upgrade their firewalls to Unified Threat Management (UTM) devices that combined the capabilities of a firewall and a network IPS.An external consultant suggested their initial intrusion prevention rule set, which the company deployed.

Overall, the project ended up with a successful, if longish, implementation of PCI Requirement 11 by using a scanning service as well as UTM devices in place of their firewalls.The organization did pass the PCI audit, even though they were told to also look at deploying a file integrity monitoring software, which is offered by a few commercial vendors.