Data breaches reached a record high in the US last year, impacting over 350 million individuals. According to one estimate, financial services firms suffered the second highest total of breaches in 2023: 744. It’s not hard to imagine why. In many cases, threat actors will have been focused on targeting banks and other providers for the wealth of sensitive financial information they hold, like card data. This is exactly why the Payment Card Industry Data Security Standard (PCI DSS) was devised 20 years ago.
It’s not just financial intuitions that must comply. Any organization that stores, transmits or processes cardholder data must meet a strict set of 12 requirements (and sub-requirements), which are helpfully arranged under six control objectives, according to the latest version of the standard: PCI DSS 4.0.
To help organizations, we’ve put together a short three-part series of blogs outlining these requirements and, where relevant, how comforte can help. Following on from the first instalment, this piece outlines Requirement 5-9:
Vulnerability management is a core cybersecurity best practice for good reason. Vulnerability exploitation remains one of the most popular attack vectors for ransomware and data breaches. According to Verizon, it accounted for 14% of all breaches in 2024, a 180% annual increase.
PCI DSS demands that complying organizations install an anti-malware solution that addresses all types of malicious software (eg viruses, worms, Trojans, spyware, ransomware, keyloggers and rootkits), and works across vectors ranging from email (phishing) to mobile devices.
As discussed, vulnerabilities can be exploited to enable threat actors to access sensitive data and systems. That makes patching software promptly critically important. PCI DSS demands all systems have “appropriate” vendor software patches—which have been evaluated and tested—installed. For bespoke software, it recommends organizations apply secure coding techniques and software lifecycle (SLC) processes. Vulnerabilities in open source code repositories are also in scope.
Threat actors are increasingly capable of bypassing perimeter defenses by leveraging stolen or brute-forced credentials. In fact, over the past decade, use of stolen credentials was a factor in in almost one-third (31%) of all breaches analyzed by Verizon. That makes access controls and least privilege policies essential.
PCI DSS mandates that systems and processes are in place to limit access based on “need to know” and according to specific job responsibilities (aka least privilege) lines. This means employees are granted rights to access only the data they need to do their jobs and nothing more, for the minimum time necessary.
Allocate a unique ID for each employee to ensure accountability for actions and make user monitoring easier. This covers all accounts including point-of-sale accounts, admin accounts, and any that are used to view or access payment account data. PCI DSS demands multi-factor authentication (MFA) for admins and users accessing the cardholder data environment (CDE), and says that MFA must be configured to prevent misuse.
Physical access to systems that store, process or transmit cardholder data must also be restricted, to prevent unauthorized access and removal of data—for example on thumb drives or removable media.
The good news is that comforte can help with your PCI DSS compliance journey. Our SecureDPS platform is designed to continually discover and classify sensitive information including cardholder data, wherever it resides. It then automatically applies strong protection such as format-preserving encryption or tokenization to protect that data in line with PCI DSS 4.0 requirements.
Additionally, an independent analysis of the solution by Coalfire confirmed the following ways comforte supports Requirement 5-9.
Requirement 7:
7.2 Access to system components and data is appropriately defined and assigned.
7.3 Logical access to system components and data is managed via an access control system(s).
Requirement 8:
8.2 User identification and related accounts for users and administrators are strictly managed throughout an account’s lifecycle.
8.3 Strong authentication for users and administrators is established and managed.
8.6 Use of application and system accounts and associated authentication factors are strictly managed.