Risk // Compliance
12/23/2014
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

How PCI DSS 3.0 Can Help Stop Data Breaches

New Payment Card Industry security standards that took effect January 1 aim to replace checkmark mindsets with business as usual processes. Here are three examples.

The new Payment Card Industry Data Security Standard (PCI DSS) 3.0, effective January 1, raises the bar for security by encouraging a structured, predictable, and continuous approach, and a higher baseline of defense against intrusions.

Since 2013, estimates for the number of payment card records lost or stolen in data breaches range from hundreds of millions to a half billion. These increasing and persistent threats demand that security professionals shift their mindset from viewing security with a check-box mentality to viewing security as business as usual.

In the cases of the largest data breaches, in 2014 a common point of vulnerability was the exploit of remote access methods to implant malware on systems that store, process, or transmit cardholder data. Frequently the point of malware penetration was back-office PCs supporting the payment system, which may run unpatched operating systems highly vulnerable to malware attacks. These systems often lack the same controls as a payment terminal, such as tamper-responsive detection and other protections for malware in volatile memory.

But infrastructure is only one part of the problem. Another reason vulnerabilities are exploited in retail is that many organizations lack an effective process to apply and comply with PCI DSS. In its latest iteration -- PCI DSS v3.0 -- the card industry standards council has set forth a security framework and approach we hope will strengthen payment system security by reinforcing “business as usual” throughout the requirements. Here are three examples:

Consistent, effective controls
Securing your payment system requires companies to always be aware of what is happening on their systems. In particular, you must know where cardholder data (CHD) is at all times and have proper controls in place so that you can react to malware injection in real time. As a baseline, signature-based solutions such as anti-virus (AV) software will scan for the known threats. With AV solutions, it’s critical to keep signatures up-to-date in order to utilize the protective measure as effectively as possible.

As for unknown threats such as new malware, advanced persistent threats, zero-day attacks, and negative-zero-day attacks (targeted by existing malware variants against unsupported operating systems and applications), systems that rely solely on signature-based controls may not provide sufficient security. By the time new threats are added to the signature files, the damage may already be done. For this reason, use a “defense in depth” strategy and deploy supplemental controls to detect and block advanced attacks, as outlined in PCI DSS Requirement 5.

Additionally, application control solutions such as enterprise whitelisting enable merchants to specify what software is trusted for execution in their payment environment. Whitelisting helps limit the ability for malware to be executed on computers inside a payment system. The use of whitelisting as an additional solution for preventing malware will help to provide a layered security approach to ensure deeper coverage against the sophisticated types of malware attacks that are targeting systems -- particularly retail point-of-sale software. Whitelisting is an additional arrow in a “defense in depth” quiver to support PCI DSS requirements, where each reinforces the other to help achieve stronger security.

Continually monitor risks
You must be vigilant about ensuring that your security controls are working. By continually monitoring controls, you can react quickly to remediate malware should signals indicate a potential breach. Related business as usual activities may include:
· Keeping all patches for all systems up to date.
· Training personnel to be alert for suspicious activity, and to follow best practices such as using strong passwords.
· Effective daily review of logs to identify and respond to suspicious behavior.
· Scrutinize system configurations to ensure software is up-to-date and settings do not expose devices to exploitation.
· Periodically audit third-party vendors to ensure they are not providing unprotected access to your systems.

Regularly assess new threats
Ongoing threat assessments and gap analysis for in-scope applications and systems are essential for policy enforcement. You can’t fix the issues that are unknown, so business-as-usual processes should allow your team to regularly assess new threats -- particularly on old PCs running vulnerable software -- and other changes in the environment, such as former employees who still have access to payment systems. With assessment, you should consider the value of adding new technologies, such as point-to-point encryption and tokenization, which may prevent exposure of cardholder data altogether.

Steps like these are among many layered defenses addressed by PCI DSS 3.0, which provides a new and stronger baseline for payment system security. Prioritizing your efforts to choose and implement proper controls will help you tackle the riskiest areas first.

The challenge of preventing data breaches will never disappear. However, by deploying layered security controls and processes, continuously monitoring their effectiveness, and regularly assessing new threats and new opportunities to reduce risk, your organization can establish an effective offense that can stop malware attacks cold -- and foster peace of mind for the safety of cardholder data.

[For more on PCI DSS 3.0 read 5 Ways To Think Outside The PCI Checkbox.]

Troy Leach is the Chief Technology Officer for the PCI Security Standards Council (SSC). In his role, Mr Leach partners with Council representatives, Participating Organizations and industry leaders to develop comprehensive standards and strategies to secure payment card data ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cthulhucalling
50%
50%
Cthulhucalling,
User Rank: Apprentice
1/15/2015 | 1:14:12 AM
Re: DSSv3. Meh> evolutionary versus revolutionary
1. It's my experience that organizations try to attain the absolute minimum it takes to become compliant. I think the brands should be helping out more by clarifying a lot of the murk that the DSS has, and coming out with a security framework, or at least rewriting the DSS so it becomes more clear as to what the Council actually wants. Right now it's a mishmash of 200+ checks, that are usually attacked piecemeal.

Second, I'd like to see the brands get more aggressive on punishing companies that scoff the DSS and get breached. Home Depot has been breached how many times now? The breach at Target was rather offensive itself, they missed all the warning signs. Of course, the Council will do nothing to these companies as they would be missing all the revenue that thise companies make for them. I would guarantee that if one major retailer was to lose its merchant status, there would be a newfound vigor and zeal from the rest of the retail industry to get secured.


2. IT management is generally not ready for a revolutionary approach. They must be dragged, kicking and screaming into compliance because they will whine, complain, drag their feet and stall all they can until they have to get compliant. The cost of noncompliance needs to be greater than it takes to get compliant, otherwise it simply won't happen.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/12/2015 | 10:17:54 AM
Re: DSSv3. Meh> evolutionary versus revolutionary
@Cthulhucalling -- You raise some interesting points which prompts me to ask for your thoughts on 1.What do you think is needed to give PCI DSS 3.0 more bite? And 2. Do you think the enterprise IT could handle a more revolutionary approach?
Cthulhucalling
50%
50%
Cthulhucalling,
User Rank: Apprentice
1/9/2015 | 8:28:57 PM
DSSv3. Meh
I'm a QSA and have been working PCI issues for clients for a few years now. What I'm seeing in v3 of the DSS is hardly revolutionary, merely evolutionary. Really, there is little changed from v2, some lip service to memory scraping, some improvements in some other requirements. But overall... meh. Without coming out and actually providing a security framework, all of this piecemeal "defense in depth" is difficult for organizations to comprehend, even when they have good engineers and security staff. Why? Because there is not overarching vision or framework that is included in the DSS, it's just 240+ requirements that are typically addressed piecemeal. An included framework would provide some context, to show management that Requirement 1 reinforces Requirement 5- when AV fails, the firewall or airgapped network will keep cardholder data from being leaked (barring extrordinary effort by the attacker)

Requirement 5 was a joke in my QSA training, the instructor called it the "microsoft rule", as the requirement states "for systems that are commonly infected by malware". Hey, AV software is nice tool for the toolbox, but I there seems to be some overeliance that it will catch malware. Any security professional will know this, but management at some of my clients have asked the question "If we have (antivirus software vendor) installed, why do we need to put our point of sale behind firewalls?". This usually goes into the defense in depth lecture, but by that point, everyone is looking at their phones, or arguing that all of this is going to cost money, and this is just security being negative and trying to scare people.

Until there is a breach.
Cthulhucalling
50%
50%
Cthulhucalling,
User Rank: Apprentice
1/9/2015 | 8:07:10 PM
Re: PCI DSS is still badly lacking!
I just spent the last 2 years working on PCI remediation for a client. Despite being brought in specifically to work the client's PCI issues, the business focused on other things until almost literally the last hour. We did get them compliant despite a huge amount of work done the last few weeks of the year, but it was only because this was the last opportunity that the company could be audited against DSSv2.0 did we get management backing to get the work actually done.

I've given numerous presentations and discussions with the client's management, and despite assurances that PCI was the #1 priority, they typically got sidetracked with other shiny objects, or balked at the amount of time/money/effort it would take to attain compliance, until it in itself became a problem. Good on them for eventually addressing the problem, but this couuld have been done much eariler without the rush to the finishline.
closcer
50%
50%
closcer,
User Rank: Apprentice
1/8/2015 | 3:57:13 PM
Re: PCI DSS is still badly lacking!
In my case, I lead a security team for a fortune 500 financial company and for me its been very easy.  You just have to provide the right data points and stay away from annecdotal data.  Justifying everything with worst case and potential financial monetary loss has always worked with our leadership team.  Thus far we've adequately protected the business (and our FI's) with the right controls in place and teh right level of auditing.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/8/2015 | 3:20:02 PM
Re: PCI DSS is still badly lacking!
@n0md3plum, how do you make the case for PCI-DSS to your management? Or do you?
n0md3plum
50%
50%
n0md3plum,
User Rank: Apprentice
1/8/2015 | 2:42:14 PM
Re: PCI DSS is still badly lacking!
@Closcer,  Try explaining that to management. That hey PCI is just the bare minimum of what needs to be done. We need to spend more $ on additional controls, policies, standards etc.  Unless you have other regulatory guidelines that you have to follow, PCI by itself might not be enough.
closcer
50%
50%
closcer,
User Rank: Apprentice
1/8/2015 | 11:56:59 AM
Re: PCI DSS is still badly lacking!
Some of your statements are valid, but the majority show youre badly misinformed.  As with any other guidelines or standards it should be something to build on not a soup to nuts approach.  Whoever doesn't treat PCI DSS as the bare minimum barometer has some work to do to secure their enterprise.  The ideals and principles set forth on PCI DSS are sound and should give the experienced security engineer something to work off of - that's the true intent of the standards.
ScottBinDC
0%
100%
ScottBinDC,
User Rank: Apprentice
12/24/2014 | 1:00:21 AM
PCI DSS is still badly lacking!
PCI DSS is a like the TSA: security theater! PCI DSS does NOT require a proper risk assessment such as the one required in the ISO 27001 framework. PCI DSS does NOT require recertification of changes like FISMA. PCI DSS does NOT require configuration management standards and certification for expanding new systems like DIACAP.

Under PCI DSS a cash register in New York can talk to a cash register in San Deigo. Why? Why are all the networks logically flat? For that matter, why is any data stored as close to the entry ways into the network as they are today? You wouldn't store the keys to your building in the lobby, why are you storing your password in what is essentially the lobby to the Internet?

The entire model is broken. Software vendors who create the whiz-bang tools do so in a way where they have to be the center of your universe. When they are not, they implement standards in such a way that dangerous decisions have to be made if a company is trying to build a system.

And speaking of building a system, what is wrong with custom code? Does you house have all the cookie-cutter pre-built options? Did you add on to it? Change the wallpaper? What about redoing the electricty to support networking and the upgraded air conditioner? Then why are you still insisting that you open the COTS box and it work without doing the same? You are building systems like they built houses in the post-World War II era. Pre-fabricated and thrown together as quickly as possible without regard for what would happen with the first really big storm, flood, or other disaster. Like the ol' saltbox built in 1950, you either have to spend tons of money to repair and maintain it while it is being attacked or you have to spend money to tear it down and rebuild it.

Why do it right when you can do it wrong for twice the price?!

You think I'm kidding? Ask Target and Home Depot how much damage would have been done if they isolated their point-of-sale networks from each other. What about Sony? How much damage was done because they left their open mail by the front door for the first person to walk in to take it from them?

Saying that PCI DSS can help stop breaches is like saying the TSA will stop terrorism on an airplane. Just like Haniford Foods was PCI DSS certified, the TSA did not stop the gun-running scheme between Atlanta and New York. It only came to light when the Brooklyn DA was investigating something else... sort of like how Neiman-Marcus found its problems. 

Security is NOT a checklist or a product. It is the result of a risk assessment to determine the risks and their mitigations. Security is a process, just like the physical security that every business maintains. Until these rank amatures understand this, there is no reason to think that PCI DSS in any of its forms will be nothing more than a band aid on a gushing wound!

 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: You should see what I wear on my work from home days!
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.