With major attacks affectingpayment data from U.S. merchant giants like Target and NeimanMarcus, now is the time for commercial retailers worldwide to takea closer look at the security of their point-of-sale systems – orface the risk of becoming the next victims.

Target's case alone exposed debit and credit card informationfrom as many as 110 million customers, so there's no wonder thatthe devastation of these attacks has prompted many retailbusinesses to review their compliance with Payment Card IndustryData Security Standards. It comes at a relevant time too, with theupdated guidelines – PCI3.0 – newly in effect.

The PCI DSS compliance standard serves to protect theconfidential user information behind credit card transactions –specifically, card numbers, expiry dates and cardholder names.Compliance with these standards is a legal requirement, but it'simportant to realize that the PCI mandate dictates an absoluteminimum set of standards. This means that while organizations mightbe compliant with PCI, they may not necessarily be secure.Achieving both is the path to not just PCI success, but also tocommercial success.

The entire process of PCI DSS, which is based around 12requirements, can understandably be quite overwhelming tomerchants. Fortunately, there are best practices that ITadministrators within the payment card industry can follow, whichmake it much easier to maintain both compliance adherence andsecurity.

AV Protection is Still Not Enough

Deploying up-to-date antivirus and firewall solutions is a greatfirst start at preventing malicious exploits, like those used inthe Target breach, from infiltrating corporate systems. But thereality is that an eggshell approach to security, where perimeterdefenses are secure but internal defenses are weak, is simply notenough to prevent advanced attacks. The updated PCI guidelines nowrecognize this, dictating that AV systems should be configured sothat users cannot disable or uninstall them.

But even with the inbuilt anti-tamper mechanisms that come withmany of these solutions, users with administrative privileges havethe power to alter these configurations and even disable them. Ifusers are able to find a way around the network's perimetersecurity, so can the malware that compromises their accounts. There is always a back door into your network if you operatewith admin rights, and malware writers know this.

Next Page: Privilege Management

Privilege Management: A PCIEssential

It's not just the requirement around AV solutions that demandscontrol of administrative privileges – several other PCI featuresdo as well. Requirement7, for instance, states that merchants must restrict access tocardholder data by business need-to-know, meaning that accessrights should be granted only to the amount of privileges requiredto perform the job, and no more.

Additionally, privileges should be assigned by jobclassification and function. Remote workers, for instance, areusually prime candidates for privileged accounts, as it's oftendifficult for them to receive immediate IT support while away fromthe office. The irony here is that home networks are usually lesssecure than the business office environment.

The tight emphasis around control of privileges in the PCIguidelines and others is well-justified, as unchecked privilegedaccounts within an organization pose devastating consequences. Whenexcessive administrative rights are granted, the organizationautomatically opens itself up to security threats. Internally,there is greater opportunity to make system tweaks, opening thenetwork and the corporate data it holds up to compromise, evenunknowingly.

A recent report found that 45% of IT security professionals haveexperienced server outages due to configuration errors by serveradministrators. At the same time, only 20% were aware of just howmany admins were running with privileged accounts. In fact,Gartner estimates that 3% to 5% of an organization's endpoints arecompromised at any time.

Management – not Restriction – ofPrivileges

Removing administrative rights across the board seems to be anobvious solution that addresses both compliance adherence andsecurity objectives. But full removal of privileges withoutadequate management controls in place then has implications forproductivity.

What happens if users need to complete a particular task, butlack the administrative rights necessary to do so? They are likelyto make a support call to the IT help desk, which not only causesfrustration but quickly becomes an extremely burdensome and costlystrain on IT resources.

Instead of removing administrative rights completely, the answerlies in the effective management of privileges as part of adefense-in-depth security approach. Organizations are increasinglyadopting the methodology of least privilege management, whereprivileges are removed from the user and instead assigned directlyto applications and OS executables, and elevated only whenneeded.

With this model, users can log into corporate systems onstandard user accounts, making it significantly more difficult formalware to compromise systems via a privileged account. At the sametime, there is no compromising on user flexibility orproductivity.

By ensuring that privilege management is deployed as part of thewider security stack, organizations can ensure they are not justadhering to compliance standards, but are simultaneously improvingtheir overall security architecture.

AndrewAvanessian is vice president of professional servicesat Avecto in Cambridge, Mass.