The new Payment Card Industry Data Security Standard (PCI DSS) 3.0, effective January 1, raises the bar for security by encouraging a structured, predictable, and continuous approach, and a higher baseline of defense against intrusions.
Since 2013, estimates for the number of payment card records lost or stolen in data breaches range from hundreds of millions to a half billion. These increasing and persistent threats demand that security professionals shift their mindset from viewing security with a check-box mentality to viewing security as business as usual.
In the cases of the largest data breaches, in 2014 a common point of vulnerability was the exploit of remote access methods to implant malware on systems that store, process, or transmit cardholder data. Frequently the point of malware penetration was back-office PCs supporting the payment system, which may run unpatched operating systems highly vulnerable to malware attacks. These systems often lack the same controls as a payment terminal, such as tamper-responsive detection and other protections for malware in volatile memory.
But infrastructure is only one part of the problem. Another reason vulnerabilities are exploited in retail is that many organizations lack an effective process to apply and comply with PCI DSS. In its latest iteration -- PCI DSS v3.0 -- the card industry standards council has set forth a security framework and approach we hope will strengthen payment system security by reinforcing “business as usual” throughout the requirements. Here are three examples:
Consistent, effective controls
Securing your payment system requires companies to always be aware of what is happening on their systems. In particular, you must know where cardholder data (CHD) is at all times and have proper controls in place so that you can react to malware injection in real time. As a baseline, signature-based solutions such as anti-virus (AV) software will scan for the known threats. With AV solutions, it’s critical to keep signatures up-to-date in order to utilize the protective measure as effectively as possible.
As for unknown threats such as new malware, advanced persistent threats, zero-day attacks, and negative-zero-day attacks (targeted by existing malware variants against unsupported operating systems and applications), systems that rely solely on signature-based controls may not provide sufficient security. By the time new threats are added to the signature files, the damage may already be done. For this reason, use a “defense in depth” strategy and deploy supplemental controls to detect and block advanced attacks, as outlined in PCI DSS Requirement 5.
Additionally, application control solutions such as enterprise whitelisting enable merchants to specify what software is trusted for execution in their payment environment. Whitelisting helps limit the ability for malware to be executed on computers inside a payment system. The use of whitelisting as an additional solution for preventing malware will help to provide a layered security approach to ensure deeper coverage against the sophisticated types of malware attacks that are targeting systems -- particularly retail point-of-sale software. Whitelisting is an additional arrow in a “defense in depth” quiver to support PCI DSS requirements, where each reinforces the other to help achieve stronger security.
Continually monitor risks
You must be vigilant about ensuring that your security controls are working. By continually monitoring controls, you can react quickly to remediate malware should signals indicate a potential breach. Related business as usual activities may include:
· Keeping all patches for all systems up to date.
· Training personnel to be alert for suspicious activity, and to follow best practices such as using strong passwords.
· Effective daily review of logs to identify and respond to suspicious behavior.
· Scrutinize system configurations to ensure software is up-to-date and settings do not expose devices to exploitation.
· Periodically audit third-party vendors to ensure they are not providing unprotected access to your systems.
Regularly assess new threats
Ongoing threat assessments and gap analysis for in-scope applications and systems are essential for policy enforcement. You can’t fix the issues that are unknown, so business-as-usual processes should allow your team to regularly assess new threats -- particularly on old PCs running vulnerable software -- and other changes in the environment, such as former employees who still have access to payment systems. With assessment, you should consider the value of adding new technologies, such as point-to-point encryption and tokenization, which may prevent exposure of cardholder data altogether.
Steps like these are among many layered defenses addressed by PCI DSS 3.0, which provides a new and stronger baseline for payment system security. Prioritizing your efforts to choose and implement proper controls will help you tackle the riskiest areas first.
The challenge of preventing data breaches will never disappear. However, by deploying layered security controls and processes, continuously monitoring their effectiveness, and regularly assessing new threats and new opportunities to reduce risk, your organization can establish an effective offense that can stop malware attacks cold -- and foster peace of mind for the safety of cardholder data.
[For more on PCI DSS 3.0 read 5 Ways To Think Outside The PCI Checkbox.]