sign in sign up
<<
Home , Financial services, Payment card industry

Flash Point Paper

PCI DSS Compliance across and Top PCI DSS Facts to Keep in Mind 1. Validation of compliance is not a check off item. It requires PCI DSS Complexities annual third party and internal With its requirements in place for well over assessments a decade, the Data Standard (PCI DSS) has effected 2. If your is hacked many changes across the retail and financial or found to be breaching PCI services industries. This industry regulation’s regulations, you may face stringent yet prescriptive security requirements hefty fines have improved information security programs, built out IT resiliency, and minimized overall 3. There are four levels of compliance risks in countless ways across of all sizes. PCI DSS has set the 4. If you experience a data breach standard and changed the way that many you then must meet the most approach security, compliance, stringent merchant assessment and overall IT governance. Based on my criteria (not at all pleasant observations and experience working in or cheap) these industries along with what the security studies are showing, PCI DSS is having a lasting impact. Still, PCI DSS compliance doesn’t mean Of all the compliance regulations I have security perfection. Retail and financial consulted with clients on with over the years services incidents and breaches still occur. (HIPAA, GLBA, etc.), PCI DSS is the one that stands out. Why is that? Is it related to the The interesting thing about PCI DSS high-risk, and thus high-security, nature of compliance is that given all of the efforts financial services? Perhaps it’s because involved, i.e., QSA , ASV vulnerability of the high-profile retail security breaches scans, and those who have to complete the we’ve seen in recent years? Maybe it’s self-assessment questionnaires, an organi­za­ because of the severe penalties associated tion can be fully compliant with PCI DSS right with noncompliance or the fact that it’s up until the point of a breach. Documentation an industry—rather than government— is in place, processes appear to be working, regulation. I’m not fully sure but I do know and technical controls are implemented— that PCI DSS addresses security from all yet the unthinkable occurs. Somewhere, the right angles, including authentication somehow along the way someone forgot to and access control, patching, and specific do something correctly. Or, perhaps, technical requirements around ongoing vulnerability controls were what I like to call under and penetration testing. I think part of implemented—a situation where the controls what has helped businesses establish and are in place but not being utilized as intended maintain buy-in on PCI DSS is its level of or to their fullest potential. There could even specificity on what needs to be done. be situations such as weaknesses in business PCI DSS Compliance across Retail and Financial Services

processes or core systems were never Of course, that could be said about many to get their done, much less figure out uncovered and people with ill intent found other things in security. Still, you must do what how to do it for hundreds or even thousands and exploited them. you can to strike a balance across all areas. of users. That said, a lackadaisical approach to authentication and access will likely prove Sources of Risk Another thing that I often witness is oversight to be indefensible in the eyes of the card Looking at the bigger picture, there are some and confusion related to which systems , the PCI Security Standards Council, areas of risk and, thus, opportunity that need actually process cardholder information and and other parties involved when a cardholder to be addressed in the context of PCI DSS whether or not the end client is responsible data incident or confirmed breach occurs. compliance. Regardless of your level of or it’s the responsibility of an up/downstream security maturity, you need to pay special third-party vendor. Furthermore, and for similar As with any other regulation, compliant does attention and continually look for gaps reasons, I see retail-based systems that not mean secure. PCI DSS is a set of rules involving cardholder data access. That’s what are running extremely outdated operating should be followed to the letter where it’s it really boils down to. Many people search systems and applications which furthers the reasonably possible and then go beyond for the latest techniques or advanced security challenges, especially as it relates that where you can. I’ve seen organizations to help solve this challenge but to truly locking down and controlling access in retail and financial services treating PCI it’s just not necessary in most environments. in order to minimize exploits. DSS more as suggestions or best practices to Instead, it’s just taking the core principles shoot for. That’s not a smart—or sustainable— associated with access control and doing These risks are not just what I’m seeing approach. Security is a numbers game. them really well. in my work. They’re also underscored by When you combine the number of credit annual security studies. For example, the card transactions and number of cardholder Reduction in PCI scope is a key part of 2018 Verizon Data Breach Investigations records with growing information systems maximizing access control. I still see a lot of Report found that application authentication complexity, it’s a matter of time before your systems that store and process cardholder attacks are prevalent in the financial and retail controls are put to the test. Compliance is data outside the perceived cardholder data industries. As the report states “essentially good, but security should be the goal. environment. Or, there are under secured the criminals are turning a PCI compliant systems that can access the cardholder data application that does not store payment card Solid authentication and access controls environment that are outside of the protected data into a very non-PCI-compliant and criminal- applies to endpoints, network systems, scope and, thus, creating risks. A common controlled data harvester.” Additional insight and the core applications and databases weakness is systems with connectivity into is provided by the 2018 Trustwave Global themselves—whether mobile or in the cloud. applications and databases that are not Security Report which found that the largest I think the precedent that is being set by running with multifactor authentication (MFA). single share of security incidents involved PCI DSS is: Under PCI DSS, all non-console access into in the retail industry—16.7%. Although a • Does it meet the base security the cardholder data environment must be reduction from the previous year, it’s still requirements? secured with MFA but it’s rare to see this a troubling finding not unlike and • Is it properly implemented? level of control. industry which made up 13.1% of all incidents. The Trustwave report also found • What else can be done to make it better One area where I’m seeing people struggle— that e- systems made up the majority and further protect cardholder data? and rightly so—is restricting access based of all incidents affecting retail. On the financial But don’t just let the PCI Security Standards on business need to know. This concept is side, it was corporate/internal networks Council fully dictate how you run your great, but it can be difficult to implement. where the majority of incidents occurred. security program. These are also great This approach is especially challenging if you questions to ask yourself to look for don’t know who is supposed to have access, More Than Compliance opportunities on a broader scale. don’t have proper buy-in from the various I think many enterprises try to take the path of business units, or have no way of enforcing least resistance and most convenience when Minimizing PCI DSS-related risks goes it. I would argue that implementing business addressing authentication and access control. beyond control and prevention. It also has to need to know across your cardholder data It’s totally and completely understandable. involve automated threat/incident response environment is easier technically that it I don’t envy anyone who must jump through in order to quell the impact and actions of a is operationally, culturally, and politically. dozens of hoops daily just to access systems threat on the cardholder data environment.

2 Contact us at CyberRes.com Like what you read? Share it.

This could apply to a rogue user, such as where things stand and then take the a contractor with ill intent, attempting to necessary steps to keep things in check. gain access to point-of-sale systems. It can At the end of the day, a low-risk cardholder also apply to a malicious actor with stolen data environment comes from a mindset credentials and even malware looking to of resiliency and a philosophy of common exploit records—both stored or sense. Mostly, it’s about discipline—doing traversing the network in real-time. Where what’s right for the business rather than there’s a lack of automation, there’s a lack just doing what you’re told. of insight. And lack of insight often leads to unnecessary security challenges. Written by Kevin Beaver, CISSP Kevin Beaver is an independent information Remember, with PCI DSS, the mandates are security consultant, writer, professional all about controlling access to cardholder speaker, and expert witness with Atlanta- data and being able to respond to incidents based Principle Logic, LLC. With over three if they do crop up. I don’t think perfection is decades of experience in the industry, expected. However, security controls mean Kevin specializes in performing independent nothing unless and until you determine your security assessments and consulting to risks, document your policies and standards, help his clients uncheck the boxes that and implement the proper technologies to keep creating a false sense of security. see it all through in the right ways for your He has authored/co-authored 12 on business. This is especially important in retail information security including the best-selling and financial services given the visibility of Hacking For Dummies and The Practical these industries and what there is to lose in Guide to HIPAA Privacy and Security terms of expansive amounts of credit card- Compliance. In addition, he’s the creator of related records. the Security On Wheels information security audio books and blog providing security Good security goes beyond PCI DSS learning for IT professionals on the go. Requirement 8 (Identify and authenticate Kevin can be reached at through his access to system components) and practically at www.principlelogic.com and you can everything else in that regulation. The important follow him on Twitter at @kevinbeaver. thing is to ensure that you truly understand

784-000002-001 | M | 05/21 | © 2021 Micro Focus or one of its affiliates. Micro Focus and the Micro Focus logo, among others, are trademarks or registered trademarks of Micro Focus or its subsidiaries or affiliated companies in the , and other countries. All other marks are the property of their respective owners.