With major attacks affecting payment data from U.S. merchant giants like Target and Neiman Marcus, now is the time for commercial retailers worldwide to take a closer look at the security of their point-of-sale systems – or face the risk of becoming the next victims.  

Target's case alone exposed debit and credit card information from as many as 110 million customers, so there's no wonder that the devastation of these attacks has prompted many retail businesses to review their compliance with Payment Card Industry Data Security Standards. It comes at a relevant time too, with the updated guidelines – PCI 3.0 – newly in effect.

The PCI DSS compliance standard serves to protect the confidential user information behind credit card transactions – specifically, card numbers, expiry dates and cardholder names. Compliance with these standards is a legal requirement, but it's important to realize that the PCI mandate dictates an absolute minimum set of standards. This means that while organizations might be compliant with PCI, they may not necessarily be secure. Achieving both is the path to not just PCI success, but also to commercial success.  

The entire process of PCI DSS, which is based around 12 requirements, can understandably be quite overwhelming to merchants. Fortunately, there are best practices that IT administrators within the payment card industry can follow, which make it much easier to maintain both compliance adherence and security.

AV Protection is Still Not Enough

Deploying up-to-date antivirus and firewall solutions is a great first start at preventing malicious exploits, like those used in the Target breach, from infiltrating corporate systems. But the reality is that an eggshell approach to security, where perimeter defenses are secure but internal defenses are weak, is simply not enough to prevent advanced attacks. The updated PCI guidelines now recognize this, dictating that AV systems should be configured so that users cannot disable or uninstall them.

But even with the inbuilt anti-tamper mechanisms that come with many of these solutions, users with administrative privileges have the power to alter these configurations and even disable them. If users are able to find a way around the network's perimeter security, so can the malware that compromises their accounts.  There is always a back door into your network if you operate with admin rights, and malware writers know this.

Next Page: Privilege Management

Privilege Management: A PCI Essential

It's not just the requirement around AV solutions that demands control of administrative privileges – several other PCI features do as well. Requirement 7, for instance, states that merchants must restrict access to cardholder data by business need-to-know, meaning that access rights should be granted only to the amount of privileges required to perform the job, and no more.  

Additionally, privileges should be assigned by job classification and function. Remote workers, for instance, are usually prime candidates for privileged accounts, as it's often difficult for them to receive immediate IT support while away from the office. The irony here is that home networks are usually less secure than the business office environment.

The tight emphasis around control of privileges in the PCI guidelines and others is well-justified, as unchecked privileged accounts within an organization pose devastating consequences. When excessive administrative rights are granted, the organization automatically opens itself up to security threats. Internally, there is greater opportunity to make system tweaks, opening the network and the corporate data it holds up to compromise, even unknowingly.

A recent report found that 45% of IT security professionals have experienced server outages due to configuration errors by server administrators. At the same time, only 20% were aware of just how many admins were running with privileged accounts.  In fact, Gartner estimates that 3% to 5% of an organization's endpoints are compromised at any time.

Management – not Restriction – of Privileges

Removing administrative rights across the board seems to be an obvious solution that addresses both compliance adherence and security objectives. But full removal of privileges without adequate management controls in place then has implications for productivity.

What happens if users need to complete a particular task, but lack the administrative rights necessary to do so? They are likely to make a support call to the IT help desk, which not only causes frustration but quickly becomes an extremely burdensome and costly strain on IT resources.

Instead of removing administrative rights completely, the answer lies in the effective management of privileges as part of a defense-in-depth security approach. Organizations are increasingly adopting the methodology of least privilege management, where privileges are removed from the user and instead assigned directly to applications and OS executables, and elevated only when needed.

With this model, users can log into corporate systems on standard user accounts, making it significantly more difficult for malware to compromise systems via a privileged account. At the same time, there is no compromising on user flexibility or productivity.

By ensuring that privilege management is deployed as part of the wider security stack, organizations can ensure they are not just adhering to compliance standards, but are simultaneously improving their overall security architecture.

Andrew Avanessian is vice president of professional services at Avecto  in Cambridge, Mass.