With violation penalties of up to $100,000 per month until full compliance is achieved, every entity processing cardholder data can't afford to miss a PCI DSS compliance gap. But with the expanding digital landscape increasing the complexity of information security, complying with the Payment Card Industry Data Security Standard is difficult unless you leverage a product that can help you track your compliance efforts.
In this post, we outline the essential features and capabilities of a PCI Compliance software solution that will bolster the security of your cardholder data environment and significantly minimize the chances of a non-compliance violation.
The 12 Compliance Requirements of PCI DSS 4.0
To effectively track PCI DSS alignment, a compliance solution should include features mapping to the updated version of this regulation - PCI DSS 4.0. A compliance tool that hasn’t adapted to the revised requirements in version 4 will fail significantly in helping you achieve compliance as version 4.0 introduces some dramatic changes.
While the 12 core requirements of PCI DSS haven’t changed. They are as follows:
1. Implement and Maintain Network Security Controls
2. Implement Secure Configuration
3. Safeguard Stored Account and Cardholder Data
4. Have Improved Cryptography During Transmission of Cardholder Data
5. Improve and Maintain Protection Against Malware
6. Update and Maintain Systems and Apps
7. Limiting Digital Access to Cardholder Data
8. Limiting Physical Access to Cardholder Data
9. Assign a Unique ID for Each Authenticated User
10. Monitor and report when Network Resources and Cardholder Data Are Accessed
11. Conduct Frequent Tests for Security Systems, Processes, Networks, and Devices
12. Create, Implement, and Maintain Information Security Policies for Information Security
Note: Each PCI SSC payment card brand has its own set of PCI compliance requirements. Links to the compliance standards of some of the popular brand members are listed below.
3 Key Features for Tracking PCI DSS Compliance
The majority of PCI DSS’s requirements can be addressed with the following three cybersecurity initiatives:
- Vendor Risk Management
- Privileged Access Management
- Security Patch Management
If you prefer to keep your attack surface minimal by only implementing a single PCI DSS compliance solution, we highly recommend implementing a Vendor Risk Management tool. A VRM tool will help you track your overall PCI DSS compliance efforts by discovering internal and third-party risks impacting alignment with the compliance functions of PCI DSS.
1. Vendor Risk Management
The PCI Security Standards Council (PCI SSC), like most cyber regulations, recognizes the impact of service providers’ security practices on PCI DSS compliance efforts. As such, to be PCI DSS compliant, payment processing entities must secure their third-party attack surface with a Vendor Risk Management (VRM), as indicated in requirement 12.8.
Establish and implement policies and procedures to manage service providers where cardholder data is shared or may affect cardholder data security.
- PCI DSS Requirement 12.8
A component of Vendor Risk Management is regulatory compliance tracking, which, when mapped to the standards of PCI DSS, could serve as a helpful guide for tracking your overall compliance levels as influenced by internal and external (third-party) factors.
In the VRM lifecycle, regulatory compliance tracking occurs at its highest level in the due diligence phase and at its deepest levels in the assessment and monitoring stages. In the assessment phase, regulatory compliance is evaluated with security questionnaires and risk assessments mapping to the security requirements of PCI DSS and other standards to produce a report on compliance efforts. The monitor phase continues this effort with vulnerability scans for tracking emerging compliance risks requiring immediate remediation to avoid violations.
An ideal PCI DSS compliance product will be capable of tracking PCI DSS compliance bilaterally by considering internal and third-party risk factors. This is best achieved with security questionnaires mapping to the standards of PCI DSS to be used for vendor assessments and self-assessment questionnaires.
Official Self-Assessment Questionnaires (SAQs) confirming attestation of compliance for merchants are available on the PCI Security Standards website.
Refer to this quick reference guide to ensure your Vendor Risk Management solution meets the security update goals of PCI DSS version 4:
- Do not use vendor-supplied default passwords for third-party solutions. Enforce complex passwords with password managers.
- Regularly evaluate the cybersecurity efforts of third-party vendors processing credit card data.
- Rapidly address vendor risks, potentially facilitating third-party breaches.
- Utilize a vendor tiering strategy to easily differentially critical vendors processing credit card data.
How UpGuard Can Help
UpGuard offers a library of customizable security questionnaire templates mapping to the standards of PCI DSS and other popular regulations. Once completed, UpGuard automatically detects security risks impacting compliance and heightens your risk of costly violations.
By including this PCI DSS compliance tracking feature within a Vendor Risk Management platform, compliance risks can be instantly pushed through a remediation workflow, helping you shut down PCI DSS compliance risks faster.
UpGuard also offers a vendor tiering that automatically assigns vendors to a criticality tier based on their questionnaire responses - a process that can be configured to your unique tiering requirements.
By configuring this tiering process so that all vendors processing credit card data are automatically assigned to the one critical tier, this group can be prioritized in Vendor Risk Management efforts to reduce the risk of third-party breaches resulting in costly PCI DSS violations.
To learn more about some of UpGuard’s compliance reporting features, watch this video.
2. Privileged Access Management
Could support compliance with the following PCI DSS requirements :
- PCI DSS Function 1: Implement and Maintain Network Security Controls
- PCI DSS Function 3: Safeguard Stored Account and Cardholder Data
- PCI DSS Function 7: Limiting Digital Access to Cardholder Data
- PCI DSS Function 8: Limiting Physical Access to Cardholder Data
- PCI DSS Function 10: Monitor and Reporting When Network Resources and Cardholder Data Are Accessed
With so many complex PCI requirements, it’s common to feel too overwhelmed to know where even to begin. Start by narrowing your focus on protecting credit card information. This initial momentum will establish the most secure foundation for your PCI DSS compliance program.
If your cybersecurity program is set up correctly, resources housing cardholder data are usually only accessible by privileged users - user accounts with more privileged access potential than general user accounts.
Besides granting access to highly sensitive data and payment systems, like credit card data, customer data, payment terminals, and credit card transactions, privileged debit account data can also be used to log into security measures, such as:
- Antivirus software
- Data breach prevention system components
- Endpoint data protection software.
- Vulnerability Management Programs
Because privileged accounts offer access to such a broad spectrum of sensitive assets, cyber criminals always aim to discover privileged accounts almost immediately after penetrating a secure network.
According to Forester, 80% of data breaches involve compromised privileged credentials.
Compromised privileged access accounts could arm hackers with a multi-pronged cyber attack, providing a pathway through multiple security solutions to the credit card data at the center of this cyber defense structure.
From an inverse perspective, securing privileged access accounts will extend the boundary of protection beyond the resources housing cardholder data to include multiple layers of security solutions, significantly reducing the chances of a data breach.
Privileged access accounts are best secured by Privileged Access Management (PAM) - a cybersecurity strategy enforcing the principle of least privilege to ensure users only have access to the minimal level of sensitive resources required to do their jobs.
PCI DSS 4.0 increases the emphasis on identity and access management and a Zero Trust Architecture - a network security strategy that confirms approved user access through continuous authentication protocols. These two cybersecurity initiatives broaden the account security principles of privileged access management to continuously protect against unauthorized cardholder data access.
Refer to this quick reference guide to ensure your privileged account security solution meets the access control goals of PCI DSS version 4.
- Restrict user access (including remote access) to cardholder data environments.
- Limit card data access only to users who absolutely require access to complete their daily duties.
- Establish a user access control policy delineating which specific users are granted access to cardholder data environments.
- Implement strong access control measures denying access to all users not included in privileged user policies.
- Establish a strong password policy for privileged accounts, ideally enforced with a password manager.
- Assign a unique ID to all user accounts, especially privileged users.
- Monitor all privileged access to sensitive resources and cardholder data.
3. Security Patch Management
Could support compliance with the following PCI DSS requirements :
- Function 6: Update and Maintain Systems and Apps
Just like compromised privileged credentials serve as keys facilitating a pathway through security controls and into credit card data resources, security vulnerabilities are also attack vectors that could act as a pathway to payment card brand data.
Every digital solution is susceptible to security vulnerabilities, including security tools and e-commerce payment processor software, like Point of Sale (POS) software.
If you assume products specifically developed for credit card payment processors are inherently secure, you are gravely mistaken. You’d be surprised by how many data breaches happen by exploiting security risks in Point of Sale software.
A security patch management program will inform your security teams of any newly available security patches and ensure their timely implementation.
To bolster the data protection efforts of timely security patches, be sure to implement Web Application Firewalls. A WAF could address the security risks of transferring data via a public network. According to the Payment Card Industry Security Standards Council, transfer protocols like vulnerable SSL and TLS 1.0 are no longer secure encryption types and should, therefore, be avoided.
The PCI Council requires entities to create a risk mitigation plan for reducing the security risks of insecure protocols like vulnerable SSL and TLS 1.0 until the transition to more secure transfer protocols is complete.
Large and small businesses should regularly test networks for vulnerabilities to ensure transfer mechanisms cannot be intercepted despite an efficient security patch management program in place.
Refer to this quick reference guide to ensure your security patch management solution meets the security update goals of PCI DSS version 4:
- Sign up to a security patch release email list for vendors offering this service.
- Ensure new patches are implemented within 24 hours of their release.
- Establish a security patch implementation plan.
- Perform regular penetration testing to test for network vulnerabilities.
- Perform regular vulnerability scans to discover system vulnerabilities and exposures and rescan systems after deploying patches to verify compliance.
- Establish a control policy in line with industry-standard best practices (such as IEEE 802.11i)
- Design a remeidiation plan prioritizing critical risks discovered in vulnerability scans.
- Test patches before implementation and perform penetration tests on systems updated with the latest security patches.
- Ensure security updates have the most up-to-date signatures
- Only onboard solutions following industry standard best practices
- Implement the Point-to-Point encryption standard (P2PE) for cardholder data processing during transactions - across open and public networks.
- Have the security of your infrastructure evaluated by a Qualified Security Assessor (QSA) for compliance validation.
- Ensure firewalls protecting credit card data resources are securely configured.
How UpGuard Can Help
The UpGuard platform includes a vulnerability scanning feature that detects attack vectors potentially facilitating access to credit card resources. UpGuard also automatically assigns a criticality rating for detected risks, helping security teams understand where to prioritize their efforts to achieve the most efficient remediation plans.
By detecting overlooked risks commonly linked to unmaintained digital assets, the UpGuard platform expands its vulnerability detection features into a complete attack surface management framework, an essential data breach mitigation practice every business needs to implement.
Watch this video to learn about UpGuard’s attack surface management features.