With a number of high-profile security breaches plaguing thefinancial sector over the past year, the Payment Card IndustrySecurity Standards Council has introduced a series ofguidelines intended to help organizations ensure compliance withPCI-DSS.

Issued in November, the guidelines advise organizations thathandle debit or credit card data how to best conduct their annualrisk assessments, as mandated in PCI DSS Requirement 12.1.2.

These guidelines certainly reinforce how compliance has hardenedfrom suggestive or advisory directives to true mandates with heftyfines and strict consequences for those failing to take heed. With harsher enforcement by government agencies, compliancehas also evolved from merely ticking a box on a checklist toimplementing, sometimes arduous and complex, processes.

This can be tough considering the organic nature of compliancemandates today, which are constantly under revision and evolving.To keep from being buried under the weight of bureaucracy, ideally,organizations should be continuously checking their complianceprocesses rather than conducting a behemoth risk assessment once ayear.

One major step that organizations can take toward makingassessment an ongoing part of business operations – rather than adaunting year-end endeavor – is implementing a least privilegeapproach which includes proactive monitoring.

For instance, the new guidelines specifically highlight thethreat of assigning inappropriate access permissions. This is athreat that most companies can equip themselves to combat on anongoing basis with full visibility into emerging and existingvulnerabilities.

In fact, many organizations remain largely unaware of the dangerof employees logging onto to PCs with administrative privileges tocarry out everyday tasks, ranging from software downloads toconnecting to a printer. The problem is that the privilege toconduct such tasks without reasonable limitations can dramaticallyincrease the risk of PCI compliance violation by allowingunauthorized access or exposure to cardholder data.

Here are some of the risks that organizations – especially thosethat handle a customer's financial information – could incur whenallowing privilege rights to employees:

• Unauthorized system changes, enabled by an employee's adminrights, could not only result in costly system downtime, but couldalso block important management software, antivirus and policysettings configured by the IT department and designed to protectdevices and data. Unwittingly or otherwise, privileged users couldenable malware onto the system that results in massively expensiveand excruciating data breaches.
• Even worse, with admin rights, the malware could attack otherPCs and servers on the network, broadening the range of accessiblecardholder information. Furthermore, malware can run automaticallywithout a user's knowledge, via Internet browser or otherapplication exploits.
• With full administrative privileges, users could access thelocal data of others who use that same PC, potentially puttingprotected customer data at risk or exposing sensitive personnelinformation.

Antivirus and firewalls provide limited protection againstthreats to cardholder data, especially when users have theprivileges to shut security programs off. Instead, these should beused in combination with more proactive, defense-in-depth securitymeasures that not only protect against external hackers, but alsosecure systems from the inside.

Where sensitive data are involved, access should be granted on a“need-to-do” basis, and this can be accomplished through leastprivilege security, where users are granted only the rightsnecessary for the scope of their job.

By removing admin rights and elevating them only when needed,organizations can ensure PCI compliance with a user base that is a)prevented from introducing exploits that might cause data leaks,and b) prevented from accidental system configurations that couldresult in insecure devices. In fact, 90% of the exploits in Windows7 are mitigated when user run with standard user rights.

Considering today's soaring levels of malware attack incidentsand sophistication levels, organizations can no longer afford toconduct a single annual risk assessment. To meet PCI requirements,organizations need to have an ongoing process of threatidentification and protection, one that is an inherent part oftheir usual business operations.

With least privilege security, companies in the financial sectorcan rest easy, knowing their data are under diligent restriction,24/7/365.

Andrew Avanessian isvice president of professional services at Avecto in Andover, Mass., Manchester,England, and Munich, Germany.