For security professionals, compliance may not be the most attractive topic, but it is important for a variety of reasons. Security teams are important stakeholders in governance, risk and compliance (GRC) efforts and, therefore, their efforts deserve appropriate attention within the security organization’s goals and priorities.
Lately, many compliance standards and frameworks have evolved to include requirements that look much more like security best practices than simple checkboxes. THE PCI DSS 4.0 standard is a great example of this. How come? Let’s use this standard to give some examples.
But first let’s start with a little background: The Payment Card Industry Security Standards Council (PCISSC) is a group of credit card industry players that establishes and administers the standard. Any entity that accepts credit card payments from PCISSC members (including Visa, Mastercard, American Express, Discover, JCB International and UnionPay) must keep card users’ data safe.
In other words, all businesses that accept credit card payments must comply with this standard. The latest version, 4.0, was released in March 2022, with a two-year transition period.
According to PCI Security Standards Council, “This transition period, from March 2022 to March 31, 2024, provides organizations time to become familiar with the version 4.0 changes, update reporting templates and forms, and plan and implement changes to meet the updated requirements.” On March 31, PCI DSS 4.0 will become the only active version of the standard.
The current times provide us with a great opportunity to work on some of the changes in v4.0, particularly as they pertain to us as security professionals.
1. Avoid malicious scripts
After a series of attacks and frauds resulting from third-party malicious scripts placed on a variety of legitimate business websites, PCI DSS was updated in 2023 to include two new requirements: 6.4.3: Manage checkout page scripts to prevent skimming and 11.6.1: Implement a mechanism to detect skimming .
Requirement 6.4.3 requires businesses to confirm the authorization and integrity of all payment page scripts, as well as maintain an inventory of all scripts that justify their need for payment. Requirement 11.6.1 states that companies must alert staff to unauthorized changes to the HTTP header and payment page received by a consumer’s browser, as well as set up a mechanism to evaluate HTTP headers and payment pages received from consumers and perform this assessment at least weekly.
These requirements mean that companies will essentially have to implement two additional controls, one protective and one investigative:
-
Protective control: Proactively ensure there are no malicious scripts on your checkout pages (third-party or otherwise).
-
Investigative check: Monitor scripts on checkout pages and alert you when malicious scripts are detected.
In addition to being a requirement of the updated standard, these controls are also a good idea and a great way to improve an organization’s security posture.
2. Install and maintain network security controls
THE PCI DSS Quick Reference Guide it has been updated in parallel with the standard itself. For example, look at this point from requirement 1 of the “Summary of PCI DSS v4.0 Requirements 1–12” section of the document:
“Network security controls (NSCs), such as firewalls and other network security technologies, are network policy enforcement points that typically control network traffic between two or more logical or physical firewalls based on predefined policies or rules. Traditionally this function has been provided by physical firewalls; however, this functionality can now be provided by virtual appliances, cloud access controls, virtualization/container systems, and other software-defined networking technologies .”
This is a nod to the much more complex world we live in from a networking perspective. What this means for businesses, in practice, is that they will need to address network security needs in hybrid and multicloud environments, most likely by adopting a distributed cloud strategy.
3. Develop and maintain secure systems and software
Requirement 6 of the Quick Reference Guide has this interesting tidbit: “Applications must be developed according to secure development and coding practices, and changes to systems in the cardholder data environment must follow change control procedures.”
This highlights the need for adequate API security. Of course, the secure software development life cycle (SSDLC) is an important component of this. Beyond this, however, companies will also need to be aware of when changes to systems in the environment change and establish that those changes follow appropriate change control procedures.
This highlights a number of important considerations for security teams:
-
Rigorous API inventory and management.
-
Mature ability to apply policies and controls consistently across all APIs across all environments.
-
Robust API security features to ensure APIs are adequately protected from attacks and fraud.
-
Sophisticated API discovery functionality to ensure that APIs deployed “under the radar” can be discovered, inventoried, and managed.
The ability to adequately protect APIs will be crucial for businesses in the coming years, as APIs are quickly becoming the core of modern business.
4. Ensure logging, visibility and monitoring
Requirement 10 of the Quick Reference Guide states that companies must use logging mechanisms: “Having logs in all environments allows for thorough monitoring and analysis if something goes wrong. Determining the cause of a compromise is difficult, if not impossible, without system activity logs.”
As security professionals, we already know this. But have we stopped to consider whether we have the right level of visibility into our hybrid and multicloud environments? If we don’t, how do we plan to get that visibility?
These are key questions for companies to consider as part of PCI compliance, but they are also important as part of their overall security strategy. Companies will need to ensure they have adequate logging and monitoring in their hybrid and multicloud environments and will need to use that visibility to adequately monitor those environments for security, fraud, abuse and compliance issues.
Security practices go beyond credit cards
The updates in v4.0 of PCI DSS are good. In addition to updating the standard to incorporate the evolving threat landscape and the preponderance of hybrid and multicloud environments, they provide excellent guidance for security teams looking to improve their organizations’ security posture. I would argue that what’s good for payment card security is good for a company’s overall security.