Then there's vendor management. Some of our vendors process credit cards and must meet new, more rigorous PCI rules for third-party vendors, including some that relate to contract wording. This will affect things like our content delivery network (CDN). Many of our CDN vendors decrypt network traffic in order to inspect it for Web application security issues and other things before re-encrypting it and sending it to our servers. Since that traffic may contain credit card data, those vendors will have to be in compliance.
The new requirements for PCI compliance will also require regular testing of our infrastructure, including application and system penetration tests from both external and internal locations. Of course, it's a constant struggle to ensure that our apps and servers are maintained in a secure manner. We already run monthly credentialed and non-credentialed scans from our internal network, and we have two qualified application security vendors and other vendors run scans against our infrastructure from the public Internet. We are well aware of the value of this. Our main application goes through many changes throughout the year, and it's all too easy for a programmer or system administrator to inadvertently introduce application vulnerabilities such as cross site scripting or open redirects or for a sysadmin to forget a vendor patch.
Gaining the PCI stamp of approval will take months. I will be reviewing policies, ensuring that processes are in place and generating the plethora of evidence needed by the auditors to prove that we meet the hundreds of requirement imposed by PCI.
Sign up for CIO Asia eNewsletters.