Check out the Essential Cybersecurity Compliance series:
- Essential Cybersecurity Compliance Standards
- How to Reach Compliance with HIPAA
- Meet NIST Compliance Standards Using Automation
- Deliver ISO Compliance with Automation
If your application processes, stores, or has anything else to do with payment cards, add maintaining the Payment Card Industry Data Security Standard (PCI DSS) compliance to your list. As we discussed in previous articles, continuous compliance is critical to avoiding data breaches.
This article will look at the key factors of PCI DSS, examples of related breaches, and what steps to take to satisfy the requirements so you can reap the benefits.
What is PCI DSS?
This set of security standards was established in 2004 by major credit card firms because, unsurprisingly, applications that process payments are highly attractive targets for hackers and malicious actors. In 2022, payment card fraud losses totalled $32.34 billion worldwide, with the US claiming more than a third of the total amount. And with the sustained proliferation of online shopping and apps that ramped up during the pandemic, credit/debit card fraud only continues to increase.
The mission of PCI DSS is to secure credit and debit card transactions not only to curb losses for banks and the payment card industry, but to increase consumer trust and safety. This is achieved through a set of security controls that protect confidentiality, integrity, and accuracy of the card data. This compliance standard applies to every organisation that stores, processes, and transmits credit card data. Unlike NIST, which is a framework you are strongly encouraged but not obligated to follow, you absolutely must comply with PCI DSS.
PCI DSS in action
The first breach that may come to mind is the Capital One hack that exposed 106 million credit card applications and led to a $80 million fine from US regulators. Let’s look at some other breaches and how they could’ve been avoided by referencing the PCI DSS rules and goals.
Hobby Lobby
In early 2021, Hobby Lobby was hacked. An independent researcher that uses the handle Boogeyman identified the breach. He discovered a publicly accessible database on Amazon Web Services (AWS) that contained sensitive information from over 300,000 Hobby Lobby customers. The database was 138GB in size and had customer names, addresses, phone numbers, and partial card details. Oddly in the same database was the source code for the company's app, which is another issue altogether.
The breach was the result of a misconfigured cloud database that was publicly accessible. This is a clear violation of PCI DSS rules #3, #7, and #9, because the payment card data was being stored on an open server. Hobby Lobby also failed to comply with rule #10, which states that access to cardholder data and relevant network resources must be tracked and monitored. This clearly wasn’t happening, otherwise the misconfiguration would have been remediated and the entire ordeal ultimately avoided.
Shein
The retail giant was fined 1.9 million USD in October 2022, when credit card information and personal details of customers were exposed and subsequently stolen and sold online. Reported as the “most popular fashion retailer in the world”, Shein’s worldwide reach means that 39 million users were affected. Further controversy arose when its parent company, Zoetop, deliberately underreported the damage, placing the number of those exposed at just 6.42 million, as reported by the BBC.
Shein’s cover up left victimised account holders in the dark, as the majority were not contacted about the breach, with no requests for customers to reset passwords.
Following an investigation by the New York Attorney General, Shein was criticised by a number of cybersecurity experts for its “reactive cybersecurity strategies” and failure to protect their customers. Shein was just one of many victims recently, as Macy’s, Adidas, and Saks Fifth Avenue have come under fire for exposing users. Previous attacks on other major retailers should’ve motivated Shein to run security audits and remediate any vulnerabilities as required by PCI DSS.
Why this matters to you
While everyone in the organisation plays a part in security, compliance starts at the top with the CISO. Recognising the difference between security and compliance, and then enacting specific defence model to satisfy both junctures, is key to meeting standards.
Trend Micro has identified five PCI DSS compliance steps to help CISOs protect confidential data.
These four compliance levels are dependent on the annual number of credit/debit card transactions processed. The classification determines what your organisation needs to do in order to remain compliant:
- Level 1: Over 6 million transactions/year
- Requirement: Annual internal audit conducted by an authorised PCI auditor. Additionally, they must complete PCI scan by an Approved Scanning Vendor (ASV) once a quarter.
- Level 2: 1-6 million transactions/year
- Requirement: Complete an annual assessment using a Self-Assessment Questionnaire (SAQ). A quarterly PCI scan may be required.
- Level 3: 20,000-1 million transactions/year
- Requirement: Annual self-assessment and potentially a quarterly PCI scan.
- Level 4: Less than 20,000 transactions/year
- Requirement: Annual self-assessment and potentially a quarterly PCI scan.
Your organisation must comply with these 12 PCI Data Security Standards (DSS) to be PCI compliant:
1. Instal and maintain secure systems and applications such as a firewall to ensure that cardholder data is protected.
2. Instead of using default settings, protecting passwords with security measures that users can change and are unique to each user.
3. Implement both physical and virtual protection to prevent data breaches.
4. Encrypt any data about the cardholder sent through open or public networks.
5. Instal, maintain, and update antivirus software.
6. Develop and maintain secure systems and apps in a way that actively searches and fixes vulnerabilities.
7. Restrict physical access to cardholder data in the organisation to avoid data theft and security issues.
8. Implement role-based access control (RBAC) to authenticate and thoroughly identify users with access to sensitive information.
9. Limit access to cardholder data that you physically keep.
10. Monitor and track network resources and cardholder data using logs.
11. Test security systems and their resources regularly.
12. Assign a policy that addresses information security for all personnel to ensure employee awareness.
Based on the 12 standards specified above, an SAQ thoroughly examines how closely your company complies with the PCI DSS criteria.
A PCI-approved auditor verifies compliance level one organisations based on these standards. Businesses from any level can employ an approved scanning vendor (ASV) to look for security flaws and ensure compliancy.
In addition, Trend Micro offers a free Public Cloud Risk Assessment. Trend cloud engineers will uncover the overall risk level of your cloud infrastructure and specify actions with clear remediation steps.
Employing access control measures to protect stored cardholder data is key to upholding PCI DSS compliance. After installing, configuring, maintaining secure systems and applications, you need to instil a strict password policy. A zero-trust approach to your organisations security makes it difficult for attackers to move laterally across your environment and access data.
Utilising the AOC form to certify that their PCI DSS evaluation—as indicated in an SAQ or PCI compliance report—is a crucial function of PCI DSS compliance.
Once completed, you can help instil trust with your partner by submitting SAQ, ASV, and AOC reports to financial institutions, such as banks and credit card firms, and to all the companies with which your organisation does business.
Automate continuous compliance with Trend Micro Cloud One™ – Conformity
Conformity provides cloud best practises to empower cloud builders to innovate in the cloud with confidence. Customers leveraging this service can build secure and compliant cloud architecture and avoid misconfigurations, such as critical identity access management (IAM), for a secure and compliant cloud environment.
With Conformity real-time cloud service configurations, cheques are run against your infrastructure to get a complete view of their security and compliance baseline and provides actionable intelligence to remediate misconfigurations to begin improving your posture.
Don’t just take our word for it. Try it yourself with a free 30-day trial.