4 Security Tips From PCI DSS 4.0 Anyone Can Use

9 months ago 36
News Banner

Looking for an Interim or Fractional CTO to support your business?

Read more

Computer internet credit card security concept with padlock on credit card pile on keyboard

Source: Brian Jackson via Alamy Stock Photo

To security professionals, compliance may not be the sexiest subject. It is an important one, however, for a variety of reasons. The security team are important stakeholders in governance, risk, and compliance (GRC) efforts, and thus, those efforts deserve an appropriate amount of attention within the goals and priorities of the security organization.

Lately, many compliance standards and frameworks have evolved to include requirements that look a lot more like security best practices than mere checkboxes. The PCI DSS 4.0 standard is a great example of this. How so? Let's use this standard to go through a few examples.

Before we do, let's establish who PCI DSS is for. The Payment Card Industry Security Standards Council, a group of credit card industry players, set up and administers the standard. Any entity that accepts credit card payments from PCISSC members, including Visa, Mastercard, American Express, Discover, JCB International, or UnionPay, needs to keep card users' data safe.

In other words, all businesses that accept credit card payments must comply with this standard. The latest version, 4.0, was released in March 2022, with a two-year transition period.

According to the PCI Security Standards Council, "This transition period, from March 2022 until 31 March 2024, provides organizations with time to become familiar with the changes in v4.0, update their reporting templates and forms, and plan for and implement changes to meet updated requirements." On March 31, PCI DSS 4.0 will become the only active version of the standard.

The current timing gives us a great opportunity to work through a few of the changes in v4.0, particularly as they relate to us as security professionals.

1. Avoid Malicious Scripts

After a spate of attacks and fraud resulting from malicious third-party scripts injected into a variety of legitimate business websites, PCI DSS was updated in 2023 to include two new requirements: 6.4.3: Manage Payment Page Scripts to Prevent Skimming and 11.6.1: Deploy a Mechanism to Detect Skimming.

The first requirement, 6.4.3, dictated that companies confirm authorization and integrity of all payment page scripts, as well as keep an inventory of all scripts that justify their necessity for payment. The second requirement, 11.6.1, said that companies must alert personnel to unauthorized modification to the HTTP header and payment page a consumer's browser gets, on top of configuring a mechanism to evaluate HTTP headers and payment pages as received by consumers and running that evaluation at least weekly.

These two requirements mean that businesses will need to essentially deploy two additional controls, one protective and one detective:

  • Protective Control: Proactively ensure that there are no malicious scripts on payment pages (third-party or otherwise)

  • Detective Control: Monitor scripts on payment pages and alert when malicious scripts are detected

Aside from being a requirement of the updated standard, these two controls are also a good idea and a great way to improve an organization's security posture.

2. Install and Maintain Network Security Controls

The PCI DSS Quick Reference Guide has been updated in parallel with the standard itself. For example, look at this point from requirement 1 of the "Summary of PCI DSS v4.0 Requirements 1–12" section of the document:

"Network security controls (NSCs), such as firewalls and other network security technologies, are network policy enforcement points that typically control network traffic between two or more logical or physical network segments (or subnets) based on pre-defined policies or rules. Traditionally this function has been provided by physical firewalls; however, now this functionality may be provided by virtual devices, cloud access controls, virtualization/container systems, and other software-defined networking technology."

This is a nod to the far more complex world we live in network-wise. What it means for businesses, practically speaking, is that they will need to solve for network security needs in hybrid and multicloud environments, most likely by having a distributed cloud strategy.

3. Develop and Maintain Secure Systems and Software

Requirement 6 in the Quick Reference Guide has this interesting tidbit: "Applications must be developed according to secure development and coding practices, and changes to systems in the cardholder data environment must follow change control procedures."

This screams the need for proper API security. Of course, the secure software development lifecycle (SSDLC) is an important component of this. Beyond that, though, businesses will also need to be aware when changes to systems in the environment change and establish that those changes follow proper change control procedures.

This highlights a number of important considerations for security teams:

  • Strict inventory and management of APIs

  • Mature ability to apply policies and controls consistently across all APIs in all environments

  • Robust API security capability to ensure that APIs are properly protected against attacks and fraud

  • Sophisticated API Discovery capability to ensure that APIs deployed "under the radar" can be discovered, inventoried, and managed

The ability to properly secure APIs will be a crucial one for businesses in the coming years, as APIs are rapidly becoming the linchpin of modern business.

4. Ensure Logging, Visibility, and Monitoring

Requirement 10 of the Quick Reference Guide stated that companies need to use logging mechanisms, saying "The presence of logs in all environments allows thorough tracking and analysis if something goes wrong. Determining the cause of a compromise is difficult, if not impossible, without system activity logs."

Now, of course, as security professionals, we know this already. But have we stopped to consider whether we have the proper level of visibility across our hybrid and multicloud environments? If we don't, how do we plan to obtain that visibility?

These are important questions that businesses need to consider as part of PCI compliance, but they are also important as part of their security strategy in general. Businesses will need to ensure that they have proper logging and monitoring across their hybrid and multicloud environments, and they will need to use that visibility to properly monitor those environments for security, fraud, abuse, and compliance issues.

Security Practices Go Beyond Credit Cards

The updates in v4.0 of PCI DSS are good ones. Besides updating the standard to incorporate the evolving threat landscape and the preponderance of hybrid and multicloud environments, these updates provide excellent guidance for security teams looking to improve their organization's security posture. I would argue that what is good for payment card security is good for the overall security of a business.

Read Entire Article