Amulya Hubert
November 29, 2022

PCI DSS - Security Measures

Brief Overview

PCI-DSS (Payment Card Industry-Data Security Standard) is a council with a very high standard to ensure security for all types of card transactions done in the financial industry. The council has been around for the past 20 years and are constantly innovating methods to improve security standards for all entities or organizations under the purview of the card industry.

 Visa, Mastercard, American Express, Discover, and JCB are the five major brands on the playing field. Organizations had a hard time keeping up with the security standards of these brands individually. The PCI Council was then formed on September 7th, 2006 to overcome redundancies and discrepancies in this system.

Their standards apply to any entity or organization that stores, processes, or transfers Customer Account Holder Data (AHD). The PCI Council has evolved newer standards to handle the current trend of cyber threats and payment channels that fall prey to such hacks. Though it is just a regulatory body and not the law, its approach to security standards is very granular and detailed.

Security Definitions

  1. PA DSS is Payment Application DSS.
    This is a requirement for software vendors who develop programs for multiple clients who store, process, or transmit AHD or SAD (Sensitive Authorized Data).
  2. PCI PTS is PCI Pin Transfer Security.
    This requirement is for POS (Point of Sale) terminals and other devices used to protect AHD PINs.
  3. PCI DSS: Payment Card Industry Data Security Standard
    PCI has six broad categories that outline the security standard and 12 requirements further explained in detail to help entities with their auditing processes.

Every application that transacts or processes client account holder data has to fulfill security standards to the level expected by the PCI Council. Requirements 1 and 2 primarily focus on "Securing the network," and 3 and 4 on "Securing cardholder data." One of the most frequently discussed topics is Requirements 5 and 6, which is "Vulnerability management." Requirements 7, 8, and 9 delve into "Access control" mechanisms, while 10 and 11 primarily detail "Network monitoring and testing," and 12 is mainly about the “Compliance regulations” that each entity needs to warrant that the protocols set are rigidly followed. 

PCI DSS ~ An Introduction 

This Compliance framework details how Organizations/Entities can reach their goals set by the council. The methods used may vary but the standards remain the same to ensure that the critical and sensitive data of clients are not exposed to the public or to malicious users. 

1.Flexible Approach

PCI allows for flexibility to organizations which cannot explicitly implement the regulations, to have compensating controls. This translates into, the entity using compensating controls to deliver the end result to fulfill the required parameters set, to ensure safety in the AHD environment. Executing this task can be quite daunting, especially for new entrants into this space.

To streamline the review process, the concept of customized controls has been added to the latest version of PCI DSS 4.0. These are defined by the organization but need to be vetted and approved by qualified auditors certified by the PCI Council. This change helps focus on the actual goal of achieving the compliance level intended, rather than the method of reaching the final state. 

2.Setting Standards 

Just because organizations can utilize customized controls for some of the requirements of PCI-DSS 4.0, it does not mean that the requirements are any less stringent than before.

Responsiveness and total buy-in need to permeate down to all personnel of an organization and its stakeholders even before it decides to undergo a PCI audit. Every individual has to be made aware of the sensitivity of AHD and the impetus to protect it. The security or risk management programs should make due diligence a continuous effort.

 

3.Application Security 

However robust an application is built or the platform it rests on, it becomes prone to exposure and cyberattacks if it does not securely handle its customer data. Most applications developed fail to follow these protocols during development or further along the SDLC model. Irrespective of the model adopted by an organization or code developed in-house, outsourced, or by third parties, the onus falls on both the development and testing teams to comply.All applications should undergo a VAPT (Vulnerability Assessment and Penetration Testing) regularly to identify potential flaws and vulnerabilities and fix them before they can be deployed to a live environment.

The verification process involves using the right mechanisms and software to expose or detect issues, flaws, and vulnerabilities that might exist in the code or API endpoints. Ensuring the processes are followed helps the auditor in an in-depth analysis during the audit process.

4.Protection is better than aftercare

Poorly coded web applications result in SQL injection and other vulnerabilities, which allow access to the database storing CHD(Card Holder Data) directly from the website. To maintain a high level of security, building a stronger firewall, configuring a DMZ or WAF(Web Application Firewall), or implementing a tiered level of security for both inbound and outbound traffic would definitely help to rule out data leaks. Additionally, blocking insecure protocols like SSL/TLS or FTP, etc. with the use of strong cryptographic and encryption standards like hashing, masking, truncation, and authorization protocols for SHA256, AES, Triple DES, or RSA are critical components to protect the AHD environment.

E.g., When an attacker uses other security controls to gain access to encrypted data without proper cryptographic keys, the data will be unreadable or unusable.

 

5.Encryption is key

Not everything, internal or external, comes from a trusted source. Misconfigured wireless networks and legacy encryption methods continue to be targeted attacks to gain privileged information to access the CHD environment.

Segregation of duties plays a pivotal role along with employees assigned Unique ID with role-based access controls (RBAC and ACL) to monitor any activity performed on the AHD and SAD environment.
Session hijacking attacks are most common during Web sessions where security is lacking or session timeouts are misconfigured or set for an extended period of time. Insufficient Session Expiration is another vulnerability that allows an application to reuse old session credentials, exposing an application to attacks that steal or reuse users' session identifiers.
Most applications use APIs, but they are not exactly on the radar of security parameters. Analyzing the API metadata traffic allows for API discovery to minimize blind spots from rogue APIs and detect threats in advance. API management can use a single token string as an API key or both an APP ID and a key.

To safeguard the level of security in all such cases, you can implement an additional level of MFA with a session expiry along with the latest versions of TLS. Logging mechanisms help in intrusion detection, prevention, or minimizing the impact of a data compromise. Retaining vendor-provided data could be detrimental to the critical environment. Still, it can be overcome with password rotation and all defaults changed to avoid MIM, sniffing, or DDoS (Distributed Denial of Service) attacks.

6.Automation is the next level

Current application codebases employ numerous lines of code and third-party libraries which makes manual testing quite tedious and cumbersome. The use of effective code analysis tools like SAST, DAST, or SCA scans can detect any security vulnerabilities, design flaws and logical errors. Any backdoors that allow attackers to further exploit an application, as well as implementation flaws such as SQL injection, CSRF, XSS, and URL redirection, to name a few, can be identified early on before deployment, too.

Automated static code analysis provides an effective solution for entities to be one step ahead due to its scalability and consistent, precise results with a total defense-in-depth strategy.

7.Lack of Awareness

Secure coding standards like “OWASP Top 10” and “Coding Best Practices” are effective and efficient ways to guarantee in creating a boundary around the AHD environment. Define a risk-based mechanism to identify which upgrades or patches are important and necessary for the system before deployment. Many compromised entities were even unaware that due to improperly installed point-of-sale (POS) systems, malicious users were allowed into the system.

Poor scoping decisions e.g., excluding part of the network from the PCI DSS scope due to inadequate network segmentation result in the cardholder data environment being unknowingly exposed to unsecured wireless access points and vulnerabilities introduced via the Internet.

Conclusion

So, to sum up, better security measures will always play a big part in following the PCI- DSS framework, along with having a BCP or DRP in place to help any organization get back to its feet sooner rather than crumble when under attack.

To learn more about how to implement security measures in your organization, visit our organization’s website.