The PCI DSS applies to ANY organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. While there are different merchant levels, defined by the volume of transactions over a 12-month period, noncompliance can result in fines ranging between $5,000 to $500,000 per month. And if a merchant suffers a breach that resulted in data being compromise, then they may be escalated to a higher validation level.
Without Accurate Time, You Can’t Be Compliant
One aspect of PCI DSS Compliance that is often overlooked or poorly implemented is time. Accurate time is essential for synchronizing critical systems and providing the ability to correlate events and logs with a high degree of certainty. Without accurate time, it is almost impossible to piece together the sequence of events of a breach, which is crucial for forensic analysis. This is especially true in distributed systems where data centers and systems are becoming more and more disparate.
Time is also essential to security functions as well. It is used in various authentication protocols to help prevent replay attacks, where an attacker reuses an authentication token to maintain access to a system. SSL, for example, uses timestamps for certificate validation. Inaccurate time can cause users to be unable to access a system, because the server’s certificate can appear to be expired or not yet useable. However, disabling the certificate check leaves servers vulnerable — and could allow someone who has gained access to stay in the system indefinitely. This is also true in two-factor authentication such as Google Authenticator, RSA SecurID, and others.
It’s All in Requirement #10.4
In fact, time is such an important aspect to PCI DSS Compliance that there is a section devoted to it 10.4
Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time.
- 10.4.1 Critical systems have the correct and consistent time.
- 10.4.2 Time data is protected.
- 10.4.3 Time settings are received from industry-accepted time sources.
Although network time protocol (NTP) is a good example of time synchronization technology, simply using the NTP protocol to synchronize your systems isn’t enough. To meet the requirements for correct and consistent time, time data protection, and industry-accepted time sources you need to get time from an official, traceable source. Using free or public time sources is not good enough. These sources tend to be inaccurate, unreliable and worst of all, impossible to prove. Here is a link to another whitepaper showing results from some of the common public sources: Internet Time White Paper.
A better approach is to leverage an enterprise-class GPS-based NTP time server from within the cardholder data environment. A GPS-based NTP time server at each physical e-commerce data-handling facility ensures that you comply with section 10.4 of the PCI DSS. Time derived from one of these sources is accurate, reliable and legally traceable. And now, with the addition of the powerful new timing signal, STL, the ability to deploy timing has never been easier or more secure.
What Is STL?
STL is a timing reference that can be used to accurately synchronize network clocks using an easy to deploy indoor antenna. Rather than having to run an antenna cable to the roof to get sync, STL allows you to simply use a small patch antenna installed by your server rack. The STL signal is also encrypted, making it highly secure. Contact us to learn how a GPS-based timing system ensures compliance to PCI DSS requirement 10.4 that is easy, inexpensive and virtually maintenance-free.