COVID-19 accelerated the speed with which digital has become the preferred means of payment for many consumers and companies. Electronic payments are only increasing, and with it, more data needs to be shared and stored securely. And as a result, the landscape is filling with more and more risk. How can complying with PCI standards help?
Today, almost 75% of organizations are targets of payment fraud and the cost associated with these attacks continues to escalate. IBM’s 2021 Cost of a Data Breach Report put the average total cost of such cyber breaches at $5.72M for financial services.
Consequently, regulators and lawmakers worldwide are now subjecting companies’ security practices to greater scrutiny to ensure they are addressing foundational cyber hygiene to minimize risks and keep customers’ payment card data safe.
Global compliance standards and data security standards like PCI DSS have been central to this – explaining what companies need to do to protect their networks. But the number of breaches shows us that companies are still not achieving security from compliance. All too often they are relying on the bare minimum of security practices and tick box compliance to keep customer data safe.
Companies that are serious about security, however, know that they need to follow the new rules set forth by the Payment Card Industry Security Standards Council (PCI SSC) in its Data Security Standard (DSS) as a top priority.
The standards outlined by the council in version 4.0 are designed to continue to meet the security needs of the complex and ever-changing payments industry. This new version boasts some of the most significant changes since 2004, including promoting security as a continuous process and no longer sampling where automation allows the assessment of every network device.
For many businesses, the changes will mean re-evaluating processes and investing in security automation. As well as using vulnerability management software to identify misconfigurations and continuously prioritize remediation based on risk, according to the security practices in the PCI DSS 4.0.
However, for companies that have previously treated compliance as an annual tick box event for a sample of devices that appear secure, the new protocols require a complete change in mindset and approach to embrace the following best practices and improve network security….
To meet the recommendation of continuous security, adopting a zero-trust mindset is a wise step for all companies. Zero trust assumes that you can’t trust what’s inside the network because it’s probably been breached. As a result, all of your network devices inside the perimeter (switches and routers), as well as those securing the perimeter (firewalls), should be verified.
Implementing network segmentation will also prove beneficial. PCI’s council already recommends this for the Cardholder Data Environment (CDE). Segmentation prevents lateral movement, helping to limit the attack surface, so that in the event of a breach there’s less damage. Many organizations that hold financial data use PCI-compliant firewalls to separate CDEs from other parts of the network. However, extending segmentation beyond the CDE is a valuable strategy for minimizing your attack surface generally and keeping the other critical parts of your network secure. It also helps teams manage which segments need to comply with other compliance standards.
And finally, companies should abandon sampling if they are serious about securing their networks. PCI DSS previously accepted that an audit of just a few devices was representative of the entire network/CDE. No longer. The body has recognized that this doesn’t provide a complete picture and is a risky approach. Automation to assess every network device, every day, can solve this, where it’s allowed, and will help meet compliance standards on a continuous basis.
Whilst increasing accurate automation of the network device assessment process is key, it’s just the start. To deliver adequate zero trust security from continuous compliance assessments of the CDE, companies need solutions that can provide accurate, risk-prioritized remediation advice. They need to know which vulnerabilities pose the most risk – not just to their compliance status but to their security posture and their business. And they need to know how to fix them. Only then can they inform remediation workflows in such a way as to maintain or improve their levels of both security and compliance.
Will this work? We hope. The track record isn’t great. According to a report by Verizon, in 2019, only 27.9% of global organizations maintained full compliance with PCI data security standards (DSS) – a decline for the third year in a row. But this was before the added requirement to shift to security as a continuous process. So, the added flexibility of methodology and validation methods that 4.0 recommends will be key to enabling more companies to demonstrate compliance. We’ve got our eye on it and think it will be integral to reducing risk and delivering increased security from compliance. We hope that any business that needs to comply with PCI DSS agrees.
