The PCI Data Security Standard (PCI DSS) is a compliance standard designed to guard payment card security. A retailer violating PCI-DSS compliance faces fines and penalties not to mention the ensuing lawsuits that come from a security breach of customer personally identifiable information (PII). The growth of enterprise mobility and Bring Your Own Device (BYOD) can seem at odds with maintaining PCI compliance.
I recently had the chance to speak with Ed Fox, VP of Network Services and Max Silber, Director of Wireless Services of MetTel , a telecommunications service provider that works with mobile carriers to provide MDM services to customers. The company does a lot of work with PCI compliance and mobility.
BYOD and endpoint device management for PCI compliance
"MDM is great and provides the first layer on the device but you kind of need if you want to go BYOD," according to Fox. "This is kind of where it gets sticky. You need endpoint device management right?"
Fox went as far to point at some of the mobility and security solutions that Raytheon, a defense and intelligence contractor has recently commercialized but still in use by the United States military. While Raytheon is big in defense contractor circles, this is the first mention I've come across about them as a potential mobile security vendor. Fox likes how Raytheon manages logs down to the device-level, does analysis, and reports anomalies. Recommending a security solution from a defense contractor that protects classified networks brings home the crucial nature of mobile security and PCI compliance.
"Putting in Raytheon for example on somebody else's device and that person even wanting it on there," said Fox. "That whole liability piece comes into play."
Achieving PCI compliance with BYOD
"An MDM provider is a software layer. The security is only as good as what you set it to be," Silber continued. "The biggest issue we see on a corporate liable or a corporate provided mobile device a corporation really has more of a decision process around what they can limit the device to do. Which inherently means you can upgrade the level of security and get to a place where the entire infrastructure is in compliance."
"The issue comes into play when you have scenarios like BYOD where you can't really restrict all the components that you want to restrict on a personal device because ultimately that is a personal device," Silber offered. "Companies and CIOs have to make decisions whether it's more important for them to hit a certain level of compliance or to be popular among their user pool."
According to Silber, more often than not on a BYOD environment they choose to be popular and keep the security levels lower than they probably should be what MetTel encounters during the course of their PCI compliance work
"That's probably why you've had resistance around the topic because ultimately it's very complicated, and it has a lot of moving components but beyond that it also has some political ramifications in an organization because mobile devices are a very personal device and individuals who bring their own device don't want to be restricted on the use of those devices," Silber told me.
Fox predicted that PCI compliance is going to become even more complicated when companies begin to add the Internet of Things (IoT) and Machine to Machine (M2M) technologies to their enterprise infrastructure. He sees the technologies opens even more security risks.
I asked how a retailer could achieve PCI compliance with tablets and smartphones that their staff use on the showroom floor and back in the warehouse.
"We have clients who do that today," Fox responded. "In all our experience today, it takes place on corporate-owned devices."
He further explained that the devices are locked down from downloading other The devices are also put on a separate WiFi network or a hidden WiFi network that's on a separate VLAN with a high-end firewall.
"We definitely see it successful and pass PCI compliancy," Fox stated.
I then threw in the vice president, who wants to use their personal iPhone for work to the scenario.
"You can get through PCI with mobile device management on that device, Fox responded. You can pass at the time of audit and satisfy 80% of the auditors I'm sure that's Day Zero."
He further stated, "On day One, he downloads something else and it's a changed environment."
Fox advised checking out Samsung KNOX for containerization and its device level security. He likes KNOX because the solution is Federal Information Processing Standard (FIPS) certified, a United States Federal government security standard and it secures mobile hardware against buffer overflows and other attacks.
MetTel uses AirWatch by VMware because they find it does a great job of setting up the environment. Fox pointed out on day two when something happens that we didn't set up for can be another story.
Mobility and PCI compliance day by day
Fox and Silber draw a picture of PCI compliance and mobility based on MDM and device level security. Their approach to mobile and BYOD security fits into the more holistic mobile security approaches that are sweeping across numerous industries
Fox was quick to point out that mobility and PCI compliance also require two separate mindsets. Day 0 requires focusing business rules and answering questions around device and data security.
"Day one," Fox offered. "Assume you are breached because everyone is to one degree or another."
"The big thing is a lot of people are compliant on audit day, Fox said. "But on day one they are not."