4 Security Tips From PCI DSS 4.0 Anyone Can Use

COMMENTARY

To security professionals, compliance may not be the sexiest subject, but is an important one for a variety of reasons. Security teams are important stakeholders in governance, risk, and compliance (GRC) efforts, and, thus, their efforts deserve an appropriate amount of attention within the goals and priorities of the security organization.

Lately, many compliance standards and frameworks have evolved to include requirements that look a lot more like security best practices than mere checkboxes. The PCI DSS 4.0 standard is a great example of this. How so? Let's use this standard to go through a few examples.

But first let's start with a little background: The Payment Card Industry Security Standards Council (PCISSC) is a group of credit card industry players that set up and administers the standard. Any entity that accepts credit card payments from PCISSC members — they include Visa, Mastercard, American Express, Discover, JCB International and UnionPay — needs to keep card users' data safe.

In other words, all businesses that accept credit card payments must comply with this standard. The latest version, 4.0, was released in March 2022, with a two-year transition period.

According to the PCI Security Standards Council, "This transition period, from March 2022 until 31 March 2024, provides organizations with time to become familiar with the changes in v4.0, update their reporting templates and forms, and plan for and implement changes to meet updated requirements." On March 31, PCI DSS 4.0 will become the only active version of the standard.

The current timing gives us a great opportunity to work through a few of the changes in v4.0, particularly as they relate to us as security professionals.

1. Avoid Malicious Scripts

After a spate of attacks and fraud resulting from malicious third-party scripts injected into a variety of legitimate business websites, PCI DSS was updated in 2023 to include two new requirements: 6.4.3: Manage Payment Page Scripts to Prevent Skimming and 11.6.1: Deploy a Mechanism to Detect Skimming.

Requirement 6.4.3 dictates that companies confirm authorization and integrity of all payment page scripts, as well as keep an inventory of all scripts that justify their necessity for payment. Requirement 11.6.1 says that companies must alert personnel to unauthorized modification to the HTTP header and payment page a consumer's browser gets, on top of configuring a mechanism to evaluate HTTP headers and payment pages as received by consumers and running that evaluation at least weekly.

These requirements mean that businesses will need to essentially deploy two additional controls, one protective and one detective:

Aside from being a requirement of the updated standard, these controls are also a good idea and a great way to improve an organization's security posture.

2. Install and Maintain Network Security Controls

The PCI DSS Quick Reference Guide has been updated in parallel with the standard itself. For example, look at this point from requirement 1 of the "Summary of PCI DSS v4.0 Requirements 1–12" section of the document:

"Network security controls (NSCs), such as firewalls and other network security technologies, are network policy enforcement points that typically control network traffic between two or more logical or physical network segments (or subnets) based on pre-defined policies or rules. Traditionally this function has been provided by physical firewalls; however, now this functionality may be provided by virtual devices, cloud access controls, virtualization/container systems, and other software-defined networking technology."

This is a nod to the far more complex world we live in from a network standpoint. What it means for businesses, practically speaking, is that they will need to solve for network security needs in hybrid and multicloud environments, most likely by having a distributed cloud strategy.

3. Develop and Maintain Secure Systems and Software

Requirement 6 in the Quick Reference Guide has this interesting tidbit: "Applications must be developed according to secure development and coding practices, and changes to systems in the cardholder data environment must follow change control procedures."

This screams the need for proper API security. Of course, the secure software development lifecycle (SSDLC) is an important component of this. Beyond that, though, businesses will also need to be aware when changes to systems in the environment change and establish that those changes follow proper change control procedures.

This highlights a number of important considerations for security teams:

The ability to properly secure APIs will be crucial for businesses in the coming years, as APIs are rapidly becoming the linchpin of modern business.

4. Ensure Logging, Visibility, and Monitoring

Requirement 10 of the Quick Reference Guide states that companies need to use logging mechanisms: "The presence of logs in all environments allows thorough tracking and analysis if something goes wrong. Determining the cause of a compromise is difficult, if not impossible, without system activity logs."

As security professionals, we know this already. But have we stopped to consider whether we have the proper level of visibility across our hybrid and multicloud environments? If we don't, how do we plan to obtain that visibility?

These are key questions that businesses need to consider as part of PCI compliance, but they are also important as part of their security strategy in general. Businesses will need to ensure that they have proper logging and monitoring across their hybrid and multicloud environments, and they will need to use that visibility to properly monitor those environments for security, fraud, abuse, and compliance issues.

Security Practices Go Beyond Credit Cards

The updates in v4.0 of PCI DSS are good ones. Besides updating the standard to incorporate the evolving threat landscape and the preponderance of hybrid and multicloud environments, they provide excellent guidance for security teams that are looking to improve their organizations' security posture. I would argue that what is good for payment card security is good for the overall security of a business.