It seems as if hardly a week goes by without hearing news of some potentially catastrophic "zero day" vulnerability that threatens to turn our computers into playgrounds for nosy hackers. To ensure PCI compliance, it's essential for merchants to install security patches on a regular basis to guarantee up-to-date protection against system weaknesses. Neglecting to carry out this operation properly can cause several problems for businesses. An organization that ignores security updates could not only fall victim to a data breach but fall out of PCI compliance as well. Businesses that still utilize Windows XP are being urged to upgrade to a more recent operating system--Microsoft will end of life XP operating system in 2014, which means security patches will also cease.
The PCI Data Security Standard (PCI DSS) requires businesses to install
security updates within one month of release. Merchants should maintain a
written policy that ensures compliance with this requirement. Furthermore,
companies should have a list of security updates that have been applied to
their systems; this should be checked against the most recent vendor-supplied
security patch list to make sure that nothing has been overlooked.
Sometimes businesses have trouble applying these patches in a timely fashion. Harried IT personnel may be pleased to learn that the PCI DSS acknowledges this difficulty and allows for an optional "risk-based" approach to installing patches. Businesses may prioritize their security updates by arranging their various system components in a hierarchy, in which the most critical components are scheduled to receive updates sooner than less critical ones. Under this system, highly critical components (e.g., customer-facing systems) will still be updated with relevant security patches within the standard one-month period, but less critical devices can delay installing them for up to three months. Data-security personnel who are pressed for time can concentrate on addressing the important systems, without fear of violating the PCI DSS.