Data Security for PCI and Beyond

20 Pages Posted: 27 Mar 2007  

Ulf T. Mattsson

Protegrity Corp.

Date Written: February 2, 2007

Abstract

For many years external security threats received more attention than internal ones, but the focus has changed. Worms, viruses and the external hacker were once perceived as the biggest threats to computer systems. What is often overlooked is the potential for a trusted individual with special privileges or access to steal or modify data. While viruses and worms are serious, attacks perpetrated by people with trusted insider status—employees, ex-employees, contractors and business partners - pose a far greater threat to organizations in terms of potential cost per occurrence and total potential cost than attacks mounted from outside. Well documented breaches have heightened the public's - and regulatory agencies' - concerns about how well companies are securing consumer-specific information captured at the point-of-acquisition. Extended partnerships lead to that more and more tasks will be performed outside the physical boundaries of company facilities which will add another level of due diligence we must take into account. The reason why insider attacks hurt disproportionately is that insiders can and will take advantage of trust and physical access. In general, users and computers accessing resources on the local area network of the company are deemed trusted. Practically, we do not firmly restrict their activities because an attempt to control these trusted users too closely will impede the free flow of business. And, obviously, once an attacker has physical control of an asset, that asset can no longer be protected from the attacker. While databases often are protected by perimeter security measures and built in RDBMS (Relational Database Management Systems) security functionality, they are exposed to legitimate internal users at some degree. Due to the fragmented distribution of database environments, real time patch management, granular auditing, vulnerability assessment, and intrusion detection become hard to achieve. With the growing percentage of internal intrusion incidents in the industry and tougher regulatory and compliance requirements, companies are facing tough challenges to both protect their sensitive data against internal threats and meet regulatory and compliance requirements.

Keywords: PCI, VISA, CISP, SB1386, COMPLIANCE, MASTERCARD

JEL Classification: C88

Suggested Citation

Mattsson, Ulf T., Data Security for PCI and Beyond (February 2, 2007). Available at SSRN: https://ssrn.com/abstract=974957 or http://dx.doi.org/10.2139/ssrn.974957

Ulf T. Mattsson (Contact Author)

Protegrity Corp. ( email )

One Cantebury Green
Stamford, CT 06901
United States

HOME PAGE: http://www.ulfmattsson.com

Paper statistics

Downloads
283
Rank
84,914
Abstract Views
1,580