How Patch Management Plays an Important Role in PCI Compliance

by: Sanjay Castelino, VP and Market Leader, SolarWinds

Payment Card Industry Data Security Standard (PCI-DSS) a compliance standard for credit unions dealing with online payment systems. The PCI DSS is an effort by Payment Card Industry (PCI) to avoid online financial fraud and to protect card holder data. The PCI DSS involves a set of rules on how critical information is stored, transmitted and viewed.  In case of non-compliance, organizations are either heavily fined or banned from processing online payments. The recent ban on Global Payments by VISA to process visa payments serves a good example how things can go wrong if payment companies do not comply with PCI-DSS.

For any organization to get certified with PCI DSS it has to maintain a high degree of system security which involves:

• Maintaining a secure infrastructure
• Maintaining secure and encrypted way of transmitting cardholder data
• Having a strong vulnerability management program at every level
• Maintaining effective data handling procedures
• Regular auditing of IT resources
• Maintaining a strong log and event management system

PCI DSS defines 12 requirements for complying with the PCI DSS standard. Of the twelve requirements, #5 and #6 deal with vulnerability program management.

• Requirement 5: Use and regularly update anti-virus software or programs
• Requirement 6: Develop and maintain secure systems and applications

PCI DSS rules pertaining to Patch Management

• Ensure all software and hardware is installed with latest security updates supplied by the vendor so all known vulnerabilities are patched. Any critical patch released should be deployed within a month of the release
• Develop a system to identify new security vulnerabilities and remediate them when the update is made available
• Deploy patches on systems for both external and internal applications only after testing them in separate test environments
• Follow change management procedures for all software versions deployed
• Provide audit reports
• Subscribe to industry leading security sources and on-line resources for patch management and security

Need for a  strong patch management solution

Failing to implement a strong vulnerability management program not only affects PCI DSS compliance but puts the entire organization at in risk. The unpatched system may house malware and viruses which in-turn risks the stability and performance of the environment on which your critical business services run.

Patch Management can be an error-prone, mind-numbing task if not automated

A recent survey, which compiles the responses of over 130 IT professionals, revealed that IT pros spend a substantial amount of time manually patching.

• Almost half of the respondents said their organizations deploy patches one at a time.
• On average, 46 percent said it takes three or more hours per patch to research, script and test third-party patches.
• 23 percent of respondents reported that once the patch has been vetted, a single patch takes up to two to three days to deploy; 13 percent said four to five days and 17 percent said six to seven days.

With an automated tool, companies can reduce the time it takes to patch from days and weeks to hours.  On average, SolarWinds Patch Manager takes the manual process of researching, testing, scripting and deploying patches to just 2.5 hours (average time per survey results).

Assess your environment against known vulnerabilities for which there is a patch and remediate quickly.  Download Patch Manager  – free for 30 days.

Check out these related resources on PatchZone.org

• 3rd Party Patching- The Unseen Security Threat: Documenting & Patching 3rd Party Applications
• The Patch Management Process: 5 Common Sense Tips
• Developing a Patch Management Policy for Your Organization

Sanjay Castelino is a VP and Market Leader at SolarWinds, an IT management software provider based in Austin, Texas. Sanjay leads the company’s initiatives around its end-to-end IT solutions for network, SIEM, storage and virtualization management. He is responsible for our product strategy and go-to-market efforts in these markets.  www.solarwinds.com