Valid card data is highly sought-after on the cybercrime underground. In fact, it’s helping to drive a global epidemic in payment fraud predicted to reach $40bn by 2026. In a bid to stem losses, the card industry created the Payment Card Industry Data Security Standard (PCI DSS) over two decades ago. No organization that processes, transmits or stores card data can afford to ignore it. Yet compliance can be onerous.
To help newcomers, we’ve put together a short three-part series of blogs outlining the 12 key requirements of PCI DSS 4.0, and six control objectives, which went into effect earlier this year. Together, they provide a comprehensive list of detailed best practices for complying organizations to follow.
They are:
- Requirement 1: Install and Maintain Network Security Controls
- Requirement 2: Apply Secure Configurations to All system Components
- Requirement 3: Protect Stored Account Data
- Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
- Requirement 5: Protect All Systems and Networks from Malicious Software
- Requirement 6: Develop and Maintain Secure Systems and Software
- Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know
- Requirement 8: Identify Users and Authenticate Access to system Components
- Requirement 9: Restrict Physical Access to Cardholder Data
- Requirement 10: Log and Monitor All Access to System Components and Cardholder Data
- Requirement 11: Test Security of systems and Networks Regularly
- Requirement 12: Support Information Security with Organizational Policies and Programs
Let’s take a look at the requirements under the first two control objectives: Build and Maintain a Secure Network and Systems and Protect Account Data.
Control Objective 1: Build and Maintain a Secure Network and Systems
Requirement 1: Install and maintain network security controls
Network security controls (NSCs) such as firewalls are a critical means of enforcing network policies controlling traffic flowing between different segments of an internal network, and between corporate networks and the internet. They examine each packet entering and leaving a segment and decide whether it should be allowed to pass or blocked, thus helping to prevent threat actors from getting into highly sensitive areas, and smuggling data out.
Requirement 2: Apply secure configurations to all system components
Default settings (or configurations) are commonly abused by threat actors to compromise systems. The most obvious example is default passwords, which can often be guessed or brute-forced with ease. Thus, applying secure configurations such as changing default credentials and even removing/disabling unnecessary software, services and accounts will dramatically reduce the attack surface.
Control Objective 2: Protect Account Data
Requirement 3: Protect stored account data
This gets to the heart of PCI DSS: protecting the card data itself. It’s arguably the most important objective, as if a threat actor manages to bypass other security controls recommended in the standard, it renders the data effectively unusable. The standard cites protection methods including encryption, truncation, masking and hashing as critical to account data protection.
Payment account data should only be stored if it is an essential business requirement, and sensitive authentication data must never be retained post-authorization. Other tactics suggested by PCI DSS to mitigate risk include truncating card numbers if the full number is not needed, and ensuring sensitive data is not sent unencrypted over messaging technologies like email and IM.
Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks
PCI DSS 4.0 is very clear that primary account numbers (PANs) must be encrypted during transmission over networks that could be easily accessed by malicious third parties—eg untrusted and public networks. The same is true of the transmission of cardholder data across internal networks. Organizations can either secure the data prior to transmission, encrypt the session during which the data is transmitted, or both. The PCI DSS claims that threat actors continue to target misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols in order to reach PANs.
How SecurDPS supports PCI DSS compliance
Fortunately, comforte’s SecureDPS platform offers a clear pathway to helping organizations meet several of the key requirements and control objectives in PCI DSS 4.0. How? By offering:
- Automated and continuous data discovery and classification
- Multiple protection methods for pseudonymization & anonymization of data including format-preserving encryption and tokenization
- Seamless integration with third-party applications for rapid time-to-value
- Support for role-based access controls to bolster security
An independent analysis of the product by Coalfire attests to the fact that SecureDPS supports:
Requirement 2: Apply Secure Configurations to All System Components
2.2 System components are configured and managed securely.
Requirement 3: Protect Stored Account Data
3.4 Access to displays of full PAN and the ability to copy account data is restricted.
3.5 PAN is secured wherever it is stored.
3.6 Cryptographic keys used to protect stored account data are secured.
3.7 Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented.
With comforte's SecureDPS, organizations can help to reduce their PCI DSS compliance scope, which in turn minimizes the time, money and effort they must spend on compliance.
