PCI DSS Requirements and Common Control Failures

Editor’s note: This blog post is an excerpt from Hyperproof’s new ebook PCI DSS Compliance: Why It Matters and How to Obtain It.

Data breaches compromising sensitive cardholder data are incredibly common. In 2018 alone, $24.26 billion was lost due to payment card fraud worldwide, and the United States took the lead as the most credit fraud-prone country, with 38.6% of reported card fraud losses. Meanwhile, identity theft was the third largest cause of fraud in the US. in 2018. 

When businesses don’t take precautions to secure their systems and network, they’re likely to be targeted. Sensitive cardholder data can be stolen from many places, including compromised card readers, paper stored in a filing cabinet, data in a payment system database, hidden cameras recording entry of authentication data, or a secret tap into your store’s wireless or wired network.  

In 2006, major payment brands American Express, Discover, JCB International, MasterCard, and Visa Inc. came together to address the vital need to have a secure payment ecosystem. The Council created the PCI Data Security Standards (PCI – DSS) — a set of technical and operational requirements for organizations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions. By following these standards, organizations can keep their defenses up and minimize the chances of suffering from costly attacks aimed at stealing cardholder data. 

What Are the Requirements Specified in the PCI Data Security Standard?  

If you accept or process payment cards, the following standards apply to you. 

Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters 
Protect Cardholder Data 3. Protect stored cardholder data 
4. Encrypt transmission of cardholder data across open, public networks 
Maintain a Vulnerability Management System 5. Use and regularly update anti-virus software or programs 
6. Develop and maintain security systems and applications 
Implement Strong Access Control Measures 7. Restrict access to cardholder data to a need-to-know basis 
8. Assign a unique ID to each person with computer access 
9. Restrict physical access to cardholder data 
Regularly Monitor and Test Networks10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy12. Maintain a policy that addresses information security for employees and contractors.

What Are the Common PCI DSS Control Failures? 

The founding members of the PCI Security Standards Council continually monitor occurrences of account data compromise. Forensic analysis of compromises has shown that common security weaknesses, which are addressed by PCI DSS controls, are often exploited because PCI DSS controls either were not in place or were poorly implemented when the compromises occurred. 

Examples of common PCI DSS control failures include: 

  • Improper scoping: The scope is the cardholder data environment (CDE) and includes all of the systems, people, processes and technologies that handle cardholder data. It is important to note that systems that support and secure the (CDE) must also be included in the scope of PCI DSS. Examples of in-scope systems include antivirus, patch management and vulnerability scanning. 

Organizations often try to reduce the scope of their PCI DSS compliance effort by using network segmentation, or sectioning off one network into smaller segments, in such a way that limits or prevents communication between them. However, when network segmentation is done improperly, hackers may be able to enter from a less secure area (such as an office zone) into a merchant’s cardholder data environment. 

  • Storage of sensitive authentication data (SAD), such as track data, after authorization. Many compromised entities were unaware that their systems were storing this data . It is important to note per PCI you are only allowed to use SAD strictly to process the payment and you should not store the data after completing the authorization process
  • Inadequate access controls due to improperly installed point-of-sale (POS) systems, allowing bad actors in via paths intended for POS vendors 
  • Default system settings and passwords not changed when the system was installed 
  • Poorly coded web applications resulting in SQL injection and other vulnerabilities, which allow access to the database storing cardholder data directly from the website
  • Missing and outdated security patches 
  • Lack of logging. Audit trails for each of the following processes must be established and have sufficient storage to house the transaction logs:
    • Individual users with card holder data
    • All actions performed by users with administrative privileges
    • All invalid access attempts
    • Tracking of audit log clearings
    • Secure assessment trail logs and access restriction to those with job related need
  • Lack of monitoring (via log reviews, intrusion detection/prevention, quarterly vulnerability scans, and change-detection mechanisms) 
  • Encryption key management. The biggest challenge is the effective utilization of encryption and tokenization tools. There are five fundamentals  of key management should be adhered to to present weaknesses in the process. The standard  includes 1) key storage, 2) key policy management, 3) key authentication, 4) key authorization,  and 5) key authorization.
  • Not addressing PCI DSS compliance in your quarterly or semiannual security check assessment. A process should be incorporated to flag exceptions that occur in the course of daily operations and investigate the exception.

To learn more about how to meet the requirements of PCI DSS and secure your cardholder environment, check out the full guide PCI DSS Compliance: Why It Matters and How to Obtain It (click on the image).


The post PCI DSS Requirements and Common Control Failures appeared first on Hyperproof.

*** This is a Security Bloggers Network syndicated blog from Hyperproof authored by Jingcong Zhao. Read the original post at: