News

Blog: What Is PCI DSS 3.0 & Are You Ready For It?

30/01/2015

To the average person, PCI DSS 3.0 may not mean much, however, this new Payment Card Industry Data Security Standard affects us all. Implemented from Jan 1st 2015, this new standard aims to elevate security and protection against data breaches.

With an estimate of between hundreds of millions to half a billion of credit and debit card records lost or stolen due to data breaches since 2013, this standard could not be more timely. The technology involved in cyber-attacks and hacking is constantly evolving, which means that those involved in card security must be ever more vigilant.

In 2014 the most common point of vulnerability, allowing for data breaches, was the exploitation of remote access methods. Data breaches occurred due to the ability of hackers and the like to install viruses and malware onto data systems where cardholder data is stored, processed and/or transmitted.

These vulnerable data systems tend to be the back-office PCs which support the payment systems. Unfortunately many of these PCs are not appropriately protected, for instance they often lack tamper-responsive detection, which means they are extremely susceptible to malware attacks. The infrastructure of these systems just isn’t good enough!

However, in addition to these infrastructure problems, retail organisations have to contend with many other vulnerabilities, such as the lack of an effective process to enable them to apply such security standards and ensure they comply with PCI DSS.

Protecting against data breaches is absolutely vital and must be incorporated into business as usual activities, something which will hopefully be reinforced by the introduction of PCI DSS v3.0

Companies are encouraged to:

1. Constantly monitor risks

If an organisation is constantly monitoring their data systems, it enables them to react a lot faster should there be a potential breach.

Recommended business as usual activities include:

– Ensuring all code changes (patches), systems configurations and settings are kept up to date;

– Training all staff to ensure they can recognise suspicious activity;

– Ensuring staff follow web best practice guidelines (e.g. robust, secure passwords);

– Conducting a daily analysis of data logs in order to spot and react to anything suspicious;
– Ensuring all third-party vendors are audited to make sure your systems are not exposed to unprotected access.

2. Apply steady, effective controls

Having reliable and robust payment system controls in place will ensure you are always aware of what is occurring within your systems.

Recommended business as usual activities include:

– Being aware of where your customers/clients’ cardholder data is at all times and installing protective controls so you can speedily react to any attack, e.g. installing anti-virus software;

– Ensuring you’re ready to defend against unknown threats (e.g. new malware and attacks focused on exploiting a previously unknown vulnerability in your system). Note that if your data system protection relies solely on signature-based controls, you are unlikely to have sufficient security! You need to ensure you have a “defence in depth” strategy and that you are able to deploy additional controls in order to adequately identify and stop these kinds of attacks. (Refer to PCI DSS Requirement 5);

– Utilising enterprise whitelisting controls will allow you to have greater control over the software that is trusted within your payment system processes, whilst helping to limit malware’s ability to infect your data systems. Whitelisting adds another layer to your protection and is therefore well worth integrating into your controls.

3. Assess new threats regularly

Despite risk analysis being crucial to the success and survival of every single organisation, many companies do not pay as much attention to it as they should. It is crucial to policy enforcement that threats are assessed regularly, after all, you can’t fix what you don’t know about!

Recommended business as usual activities include:

– Regularly updating PCs and checking older computers are not running particularly vulnerable software;

– Ensuring all ex-staff members have had their access rights to payment systems revoked;

– Regularly checking for new secure technologies and updating your systems as appropriate. Such as adding additional layers of protection through point-to-point encryption and tokenization (where sensitive data is substituted with a non-sensitive equivalent), both of which are established controls which can help protect cardholder data to a far greater extent.

PCI DSS 3.0 is very focused on the addition of protective layers, which will provide your organisation with a much more effective, defensive payment system security. Organisations have to accept that data breaches will never be a thing of the past; indeed, cyber-attacks are getting increasingly complex. However, ensuring you comply to security policies and standards will help you identify risks and protect your business and most importantly, your customers/clients’ cardholder data.