While PCI compliance sets an industry benchmark surrounding cybersecurity for the financial sector, organizations shouldn’t rely on it to protect themselves against data breaches.
The harsh truth is that cybercriminals will exploit any weakness in an organization’s IT infrastructure to gain unauthorized access to sensitive data, not just those covered by PCI DSS compliance requirements. Instead of viewing PCI DSS as a checklist for securing customer data, organizations should take a more holistic approach to compliance.
Gaining visibility across the entire attack surface is crucial to ensuring complete network and data security against cyber attacks. Organizations should align their PCI compliance with attack surface management strategies to strengthen their security postures and provide the best defense against data breaches. Read on to learn how.
Learn more about cybersecurity regulations in the financial industry.
What is PCI DSS?
The Payment Card Industry Data Security Standards (PCI DSS) are designed to prevent credit card fraud and protect credit card holders from personal data theft. The PCI DSS controls cover the processing, storage, and transfer of credit card data.
PCI DSS draws upon guidance from many international cybersecurity bodies, such as the Center for Internet Security (CIS), the Cloud Security Alliance (CSA), and the Open Web Application Security Project (OWASP).
Who Must Comply With PCI DSS?
Any entity that processes customer credit card information must comply with PCI DSS, including merchants and payment solution providers.
This checklist will help you track your PCI DSS compliance efforts. For assessing compliance with each of your vendors, use this free template.
Why is PCI DSS Compliance Important?
The financial industry deals with large volumes of customers’ personally identifiable information (PII). Cybercriminals are aware of the high value this sensitive data has on the dark web, where it can be sold as a means to commit identity theft, insurance fraud, and other lucrative crimes.
In today's threat landscape, hackers target financial institutions' poor data security measures to gain access to this valuable information. Governments and regulatory bodies have responded by implementing stricter requirements and handing down hefty financial penalties to non-compliant organizations. Financial organizations that don’t comply with PCI DSS face fines ranging from $5,000 to $100,000 for every month of non-compliance and other potential legal consequences.
Data breaches also pose a reputational cost to organizations, ultimately losing customers’ trust and loyalty if their personal information is not protected.
Learn about the biggest data breaches in the financial industry.
How to Support PCI DSS Compliance with Attack Surface Management
Below are the 12 PCI DSS requirements paired with their prescribed security best practices and attack surface management strategies.
Requirement 1: Install and Maintain Network Security Controls (NSCs)
The PCI DSS Council defines Network Security Controls (NSCs) as “firewalls and other network security technologies within an entity’s own networks…[that] protect the entity’s resources from exposure to untrusted networks.” Untrusted networks pose a security risk to the Cardholder Data Environment (CDE) because they can expose sensitive systems to unprotected pathways, leading to unauthorized access. Entities should also implement network segmentation to protect the CDE from incoming threats.
The Council lists the following as common examples of untrusted networks:
- The Internet;
- B2B communication channels;
- Wireless networks;
- Carrier networks, such as cellular;
- Third-party service provider networks;
- Any other source outside the entity’s control, including corporate networks that fall outside the scope of PCI DSS.
While NSCs, such as web application firewalls (WAFs) and virtual private networks (VPNs), offer the first line of defense against cyber attacks, mitigating controls must be in place to identify insecure services, protocols, and ports.
Learn more about the dangers of open ports.
How UpGuard Helps
UpGuard scans the Internet for open ports and can identify and monitor over 150 known services that are often exposed, including telnet and FTP.
UpGuard allows organizations to verify that their NSCs’ configuration settings only allow approved services, protocols, and ports. Beyond the Cardholder Data Environment, UpGuard performs open port scanning across the entire attack surface, including that of third parties.
Requirement 2: Build and Maintain a Secure Network and Systems
Default passwords and vendor settings are easily obtainable through open source intelligence methods. Threat actors often exploit this public information to gain unauthorized access to internal systems.
Action points prescribed by the PCI Council include:
- Changing default passwords
Learn how to create a secure password.
- Removing unnecessary software, functions, and accounts
- Disabling or removing unnecessary services
Learn more about the dangers of unauthorized software usage.
Organizations must apply secure configurations to eliminate these attack vectors. Preventing or limiting the use of unnecessary software and services reduces an organization’s entire attack surface.
How UpGuard Helps
UpGuard can detect all Internet-facing assets, including unauthorized or unused SaaS apps, including Shadow IT. UpGuard’s data leak detection engine scans all layers of the web to identify leaked credentials and misconfigured cloud settings in real time, enabling organizations to secure any exposed data immediately.
Requirement 3: Protect Stored Account Data
Organizations must implement strong encryption, truncation, masking, and hashing capabilities to protect cardholder data effectively. These measures add another layer of security by rendering data indecipherable in the event of unauthorized access. Applying similar data security standards across all sensitive data ensures complete attack surface protection.
Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
Poorly-secured wireless networks and inadequate encryption and authentication protocols are commonly targeted vulnerabilities. The Council states that entities must encrypt primary account numbers (PANs) over untrusted and public networks using cryptography to assure data preservation, integrity, and non-repudiation. Organizations should extend this requirement by encrypting all data transmitted over untrusted networks and public networks to strengthen data breach prevention capabilities.
How UpGuard Helps
UpGuard can instantly detect unsecured networks and vulnerabilities caused by legacy protocols across the entire attack surface.
Requirement 5: Protect All Systems and Networks from Malicious Software
Malware, or malicious software, is any program or file that is installed on a computer or system for harmful purposes. Common examples of malware include:
- Computer viruses
- Computer worms
- Trojan horses
Learn how to spot 22 different types of malware.
Cybercriminals inject malware through attack vectors, such as:
- Phishing emails
- Email spoofing
- Exploiting network vulnerabilities
Once injected, malware can spread quickly throughout an entire network. Even if the Cardholder Data Environment (CDE) is not initially affected by a malware intrusion, it’s only a matter of time before it becomes compromised. Organizations must deploy an anti-virus software solution to achieve endpoint protection against malware. For complete attack surface defense, they need to identify the attack vectors through which malware spreads itself.
How UpGuard Helps
UpGuard instantly detects vulnerabilities that could facilitate malware intrusions. The UpGuard platform can also identify email security issues, phishing and malware, and typosquatting in real-time.
Requirement 6: Develop and Maintain Secure Systems and Software.
Unpatched vulnerabilities in third-party software, including outdated operating systems, can lead to dire consequences. Cybercriminals exploit zero-day vulnerabilities to infiltrate internal systems. Secure coding practices and software lifecycle (SLC) processes can help avoid zero-days, but vendors must act quickly to patch these security flaws or risk large-scale data breaches.
Fast detection of vulnerabilities and secure coding practices speed up the patching process by pinpointing the source of error.
Learn more about zero-day vulnerabilities.
How UpGuard Helps
UpGuard instantly detects vulnerabilities across the internal and third-party attack surface. UpGuard scans code repositories, including S3 buckets, public GitHub repos, and unsecured RSync and FTP servers, for misconfigurations that are causing data leaks.
Requirement 7: Regularly Monitor and Test Networks
Excessive permissions is a cloud misconfiguration where unauthorized users are granted access rights/privileges beyond their requirements. This common error can quickly facilitate insider threats and third-party data leaks that could eventually lead to breaches.
Organizations must implement the principle of least privilege to limit user permissions to the bare minimum requirements. The PCI Council extends these requirements to all third parties.
How UpGuard Helps
UpGuard continuously monitors the entire attack surface to identify cloud misconfigurations before they cause data breaches.
Requirement: 8: Identify Users and Authenticate Access to System Components
Intruders can sneak their way into privileged systems and exfiltrate sensitive data if strong access control mechanisms aren’t in place. Organizations should implement effective authentication tools, such as 2FA or MFA, as part of a broader identity access management (IAM) system spanning the entire attack surface.
Requirement 9: Restrict Physical Access to Cardholder Data
The PCI Council states that physical access to systems that store, process, or transmit cardholder data should be “appropriately restricted.” This requirement is only effective if all systems storing any form of sensitive data are similarly protected, including those of vendors.
Organizations should implement a clean desk policy (CDP) to ensure that hardcopies containing confidential information are stored securely and destroyed once no longer required. They must also ensure their vendors are doing the same.
Requirement 10: Log and Monitor All Access to System Components and Cardholder Data
Logging mechanisms allow organizations to prevent, detect, or minimize the impact of security incidents that lead to data compromise. The PCI Council mandates “[t]he presence of logs on all system components and in the cardholder data environment (CDE) [to allow] thorough tracking, alerting, and analysis when something does go wrong.” This requirement extends to third parties.
Organizations should ensure logging mechanisms are in place across all systems, including vendors’ systems, to provide system activity logs in the event of a security incident. Detailed logging enables security teams to perform root-cause analysis, which allows security teams to develop prevention measures against similar events in the future.
Requirement 11: Test Security of Systems and Networks Regularly
New vulnerabilities emerge daily, and cybercriminals are quick to discover them. The PCI Council mandates that entities must frequently test the following security controls to achieve sufficient vulnerability management:
- System components
- System processes
- Bespoke software
- Custom software
Organizations should perform regular penetration testing to identify system and network vulnerabilities and deploy an intrusion detection and prevention system (IDS) to identify and intercept suspicious network traffic. Continuous monitoring of the entire attack surface allows organizations to detect and remediate vulnerabilities immediately.
How UpGuard Helps:
UpGuard’s continuous attack surface monitoring capabilities detect active Common Vulnerabilities and Exposures (CVEs) affecting you and your vendors, allowing faster remediation.
Requirement 12: Support Information Security with Organizational Policies and Program
An information security policy (ISP) defines rules, policies, and procedures that ensure all end users and networks within an organization meet minimum IT security and data protection security requirements. The PCI Council states that all personnel have security awareness of the sensitivity of cardholder data and their responsibilities for protecting it.
An effective ISP should address all of an organization’s data, programs, systems, facilities, infrastructure, authorized users, third parties, and fourth parties, including an incident response plan, to effectively manage the attack surface.