Every organisation aiming to achieve PCI DSS compliance has an area of common concern;...
Introduction and Background
Let's take a look at what PCI DSS compliance is, and how your business can get compliant
The Payment Card Security Council set out a simple goal when creating the organisation;
‘protect their payment systems from breaches and theft of cardholder data’
The Council was formed nearly two decades ago by a syndicate of credit card providers. The Council’s stated goal was about improving security safeguards at every step of card transaction processing. The business driver was a commercial imperative – to protect cardholder data. To enable this outcome a security standard was created that mandated safeguards and defined processes that met the agreed objectives – Payment Card Industry Data Security Standard (PCI DSS or just PCI). The standard is now in its third iteration having matured to meet emerging challenges as the security landscape has evolved.
Which Australian organisations must be PCI Compliant?
The standard is very clear on merchant obligations required to handle cardholder data.
Any entity that;
- accepts credit cards
- processes credit cards
- transmits cardholder data
- stores cardholder data
The caveat in the standard is that many smaller organisations now have the means to accept credit cards and transact business with portable point-of-sale (POS) terminals like SQUARE or with commercial providers like PAYPAL.
In this scenario, the onus of achieving compliance is less clear. Small businesses may accept cards and process the transaction but cardholder data is not stored. The counterpoint is that cybersecurity is so critical to delivering commerce that it borders on corporate negligence not to have the basic PCI safeguards in place.
How are Australian retail organisations performing in 2019?
Australia’s notifiable data breach revealed that during the second quarter of 2019, 15 data breaches were reported by retailers with a turnover greater than $3M per annum. Cardholder data has a ready resale market on the dark web and statistically, retailers appear to be a more attractive target for criminals than other industries.
Link: Notifiable Data Breach statistics April, 1 to June 30, 2019
What is the business driver for implementing PCI DSS?
The goal of implementing PCI is to define a series of baseline security safeguards that will better protect cardholder’s data and reduce the risk and incidence of credit card fraud. The PCI standard mandates a series of security controls and requires that merchants implement a sequence of predetermined audits to validate compliance. The standard has a sting in the tale. The Payment Card Security Council may enforce punitive penalties in the event of a data breach if compliance is not maintained. The Council may impose onerous fines or restrict transactions until controls are meeting compliance edicts. Ultimately, the PCI standard enforces greater business discipline and encourages a culture of best practice across the organisation when combined with rigorous training and ongoing refresher courses.
Who must comply with the PCI DSS standard?
PCI compliance standards are overseen by the PCI Security Standards Council who define a minimal standard for controls required to protect cardholder data. PCI’s “Merchant Level” defines the granularity of controls needed to protect cardholder data and depends on revenues and/or the number of annual transactions. As a guide, the lower merchant level for PCI compliance is 20,000 annual transactions while the upper threshold is 6 million.
|PCI Merchant Level||Annual Transactions Threshold|
|Level.1||over 6 million per annum|
|Level.2||between 1 and 6 million per annum|
|Level.3||Between 20,000 and 1 million per annum|
|Level.4||Less than 20,000 per annum|
To complicate things further, card providers (“acquirer” is the technical term) contractually enforce validation with their merchant partners. Agreements differ depending upon the card acquirer but typically address three prerequisites;
External Vulnerability Scan
This is a mandatory requirement for all merchants and a task that’s regularly scheduled for organisation’s who take cybersecurity seriously. Organisations like Stickman are certified Approved Scanning Vendor’s (ASV) that offer vulnerability scanning as a service and can help identify where the special focus should be applied to safeguard cardholder data.
Card acquirers contractually require Level 1 and 2 merchants to undertake external assessments to ensure compliance with their agreements. Certified Quality Security Assessor’s (QSA) undertake the review to ensure compliance with PCI standards.
Self-Assessment Questionnaire (SAQ)
The SAQ is a validation tool used by merchants and service providers who are not required to undergo the scrutiny of an onsite assessment.
These examples are taken from the Mastercard website but all of the major card acquirers have similar levels of oversight that complement PCI’s rigorous guidelines and policies.
The nuts and bolts of PCI accreditation
The PCI DSS standard is made up of twelve broad “controls” that are broken down into 220 subsectors. These controls must meet PCI standards with their configuration and dependencies fully documented. As the technology has advanced, so too has the choices available to meet the stated prerequisites. Achieving a tick in the box may not deliver the best ROI on an organisation’s spend, but convincing management of this can occasionally be easier said than done.
- Install and Maintain a Firewall Configuration to Protect Cardholder Data
Owning and maintaining a firewall is a standard part of every foundation security framework. The role of the firewall has morphed over time with the typical office system often serving many more roles than just stopping bad folks gaining access to corporate assets. This has added greater complexity to administering filtering devices and securing internet-facing access. In most organisations, It falls to the “generalist” IT team to configure and maintain firewalls and security controls but this approach poses many risks. Having a misconfigured firewall may provide a false sense of security and presents a grave danger to overall security. The skill level needed to maximise the firewall ROI is analogous to a surgeon. Likewise, typical IT professionals are GP’s who must be able to solve a multitude of daily challenges that cross technical boundaries. The configuration is one thing, but Firewall optimisation is also vital to ensure fast network performance and maximise staff productivity. Cloud Computing solves many business computing requirements but securely integrating Cloud into legacy DMZ environments is fraught with risk. Microsoft’s AZURE and Amazon’s AWS are ecosystems that are in constant flux as new features are added, updated or reach their end of life (EOL). Cloud specialists have difficulties keeping abreast of this change and it may be unfair to place the responsibility on generalist IT staff.
One solution worth considering is a managed Firewall service where you have access to security focussed engineers with the requisite skills and business acumen needed to align security with business processes. This approach helps cash-flow and maximises ROI.
- “Do not use vendor-supplied defaults for system passwords and other security parameters”
It’s still amazing that security technology ships with default login credentials like “admin + admin”.
Dedicated websites exist that list default passwords with “cirt.net” offering 2,000 passwords from 500 IT vendors. Fortunately, hardware vendors are finally adding forced reset to their equipment to change passwords at initial power-up. Sadly, this only solves one password challenge that administrators must contend with. Login credentials, passwords and other security settings are created to protect and harden your PCI compliant environment. Passwords, password policy and resets can demand swathes of IT support time at enormous financial and opportunity cost. Added safeguards like multi-factor authentication should be deployed and those annoying monthly password refreshes dispensed with. Legacy password policies are circumvented and lead to weaker security and higher operating costs. Password sharing should be made a sackable offence: this will focus employee’s minds on better security.
- “Protect Stored Cardholder Data”
There’s a simple rule of thumb in the security industry: try to avoid storing cardholder data. It’s attractive loot with a ready resale market. This is one area where protecting data has improved at a much lower cost.
When the PCI standard was created, encrypting data was expensive and complex but as technology has evolved and the cost of hardware security modules (HSM) has fallen, in-house encryption delivers a rapid ROI and peace of mind. Alternatively, solutions from AWS and Azure offer Cloud-based storage that complies with FIPS-140 – Level 3 accreditation that will meet most cryptographic control requirements.
- Encrypt Transmission of Cardholder Data across Open, Public Networks
Using older protocols for encrypted transmission poses a grave risk to securing cardholder data. The Internet Engineering Task Force (IETF) has ratified TLS 1.3 but older versions of TLS and SSL are used in production environments today. Get rid of them and update to the latest supported version that integrates with your PCI safeguards.
- Use and Regularly Update Anti-Virus Software or Programs
Security safeguards that mitigate virus and malware threats are now typically part of a suite of features that protect against data exfiltration, offer real-time threat analysis and most importantly can be centrally managed. Firewall’s offer ingress protection against threats based on the feature set, vendor partnerships and allegiances. Delivering the best ROI requires the dispassionate review of how internal systems and processes can be supported. The term now used is “endpoint” protection that encompasses mobile devices too. Careful research and close collaboration with a security partner (like Stickman) is vital to ensure that this safeguard doesn’t become a vulnerability.
- Develop and Maintain Secure Systems and Applications
Software patching failures have topped the list of security blunders since the widespread deployment of IT systems. If organisations took a more diligent and disciplined approach to patching, global cybersecurity would be greatly enhanced. Solving this limitation is best achieved by automating patching across operating systems and applications. Don’t forget firmware either. Almost anything that is internet facing poses grave risks to business: access-points, printers, routers and firewalls are typical examples of devices that have been compromised because of patching failures.
- Restrict Access to Cardholder Data
In the realm of military defence, the concept of security clearance is implemented across servicepeople.
In a commercial context the expression “need to know” sums up the best practice approach to handling sensitive cardholder data. Access should be limited based on roles, responsibilities and underpinned with a security policy that applies the need-to-know concept across all corporate data.
- Assign a Unique ID to Each Person with Computer Access
For most organisations, the unique identifier is an employee’s email address. To compound the issue, email addresses tend to follow a corporate protocol for efficiency – first name dot last name @ the organisation. That’s logical and productive but reduces PCI security particularly against brute-force attacks. For better security consider implementing multi-factor authentication across the board but singularly focus on protecting those stakeholders with elevated security access. Administrators and senior management are good candidates for this upgrade. Specific groups like HR or Finance who handle sensitive data should also be prioritised for two-factor deployment.
- Restrict Physical Access to Cardholder Data
Don’t forget to lock the doors and windows.
- Track and Monitor Access to Network Resources
Proactive security management can be automated with a Security Information and Event Management (SIEM) that provides real-time analysis of information systems. The SIEM logs activity from across the Enterprise and identifies “anomalous” behaviour that could indicate a security incident. What vendors don’t tell you before they sell you these systems is that it’s vital to have the resources available to configure, manage and monitor the system or the purchase is almost pointless. To deliver the best ROI, work with a security partner who has made the investment in a Network Operations Centre that operates 24*7 and has dedicated security engineers able to review network activities on your behalf.
- Regularly Test Security Systems and Processes and the Need for PCI Policies and Procedures
The security of your organisation is built upon three key deliverables;
It’s incumbent on management that they understand their legal obligations as well as their responsibility to stakeholders and do their utmost to protect digital assets and privacy. Penetration Testing and Vulnerability assessments are a mandatory requirement for meeting PCI compliance. Please refer to our blog post that details the minutiae of Pen Testing for a more granular overview.
- Maintain a Policy that Addresses Information Security
The job isn’t done until the paperwork is finished!
Ensure security policies are kept current and the documentation meets PCI standards. Good documentation can help new hires quickly learn and implement policy and maintain your organisation’s security posture too. Given the enormous cost and time required to meet PCI documentation standards, it’s important that the effort expended helps produce better security outcomes.
Conclusion: Actionable PCI Security that delivers a measurable ROI
Meeting and maintaining PCI compliance shouldn’t be viewed in isolation from other security initiatives. Where possible, combine PCI projects and upgrades with other initiatives to drive change that delivers better security across the organisation. This will improve the ROI of your PCI budget too. Finally, don’t forget the unwritten 13th PCI compliance rule. Every dollar invested in security and awareness training is a dollar well spent. The Australian government’s notifiable breach legislation has shown that one-third of security failures can be directly attributed to human error. One in three!
Links and Resources:
PCI data storage – do’s and don’ts;
Stickman Insights – Penetration Testing;
Stickman Insights – Compliant. Certified. Still insecure?