Ramping PCI DSS efforts for the festive shopping period

With consumers the world over making the all-important buying decisions in anticipation of the holidays, retailers should be preparing to keep customers’ data safe. Despite the fact that PCI DSS (Payment Card Industry Data Security Standard) has been in effect for over a decade, and most merchants achieve compliance, some of the world’s largest retailers are vulnerable to data breaches.

The sad truth is that achieving compliance doesn’t guarantee data protection, even for large organisations. For example, more than five million credit card numbers were stolen in the 2018 hack of two major retailers. Here are five tips to improving PCI DSS to help retailers.

1.Scoping 

The PCI DSS standard defines the scope of the cardholder data environment (CDE) as all of the systems, people, processes, and technologies that handle cardholder data. A common misconception is to overlook the systems that support and secure the CDE and fail to include them in scope.

Specifically, any systems involved in managing the security of in-scope systems are also considered in-scope and need to be secured and monitored. Some examples include: IAM servers; Domain controllers, Key Management servers, Firewalls/IDS/IPS systems; Log management/SIEM systems, AV Management servers and more.

Segmentation and monitoring are the two critical success factors in avoiding the pitfalls associated with improper scoping. Isolate in-scope assets from the rest of your environment with granular network segmentation and access control policies. Additionally, monitor all access activity to validate compliance and respond to emerging risks.

2. Patch Systems Regularly

PCI DSS requirement 6 outlines the need to patch systems on a regular basis. Additionally, it specifies that critical security patches must be installed within a month of their release. The challenge is that patching processes can be very disruptive, and even well-established companies can easily fall behind. For example, it took Equifax more than four months (132 days) to identify an unpatched vulnerability that provided a foothold for their devastating data breach.

Schedule regular vulnerability assessment scans and prioritize patching and remediation procedures for your in-scope systems. Monitor your in-scope systems with a combination of security controls including host-based and network-based IDS, file integrity monitoring, and SIEM event correlation.

2. Audit Access to Cardholder Data

PCI DSS requirement 8 outlines how to secure access to cardholder data, specifically requiring two-factor authentication for remote access to all in-scope systems. While many organizations have implemented two-factor authentication, they often fail to audit this access to verify that these controls are working as expected.

In fact, SecurityMetrics reports that insecure remote access was the largest single origin of compromise being used in more than 39% of investigated breaches against merchants.

Implement two-factor authentication on all of your CDE assets. Schedule periodic audits against these assets, to verify that controls are working properly. Additionally, enable monitoring on all CDE assets to capture a baseline. Finally, configure your SIEM to trigger alarms for all activity that falls outside this baseline so you can respond quickly to potential threats.

4. Review and Monitor Audit Logs Daily

PCI DSS requirement 10 covers all of the implementation details for logging and log monitoring within the CDE. Unfortunately, these logs are worthless unless and until you have a process to review them and technology to support it. By reviewing logs on a daily basis, you’ll discover errors and anomalies that may signal a threat – before they do any damage.

It takes an organization an average of 206 days to detect a data breach. If most organisations were successfully reviewing logs on a daily basis, they’d find breaches within hours rather than days (or, months).

5. Don’t Store Sensitive Authentication Data after Authorisation

PCI DSS mandates the protection of Sensitive Authentication Data (SAD) which is comprised of full magnetic stripe data, CAV2, CVC2, CVV2, CID, PINs, PIN blocks, and more. Cyber criminals put a high value on SAD or “magnetic stripe data” because access to this raw data enables them to clone stolen credit cards for resale.

Some merchants who rely on recurring billing may falsely believe that they must store all SAD for this purpose. Instead, reduce your exposure by using a third-party credit card vault and tokenisation provider. In this setup, the CHD is replaced with a token during billing and payment authorisation procedures.

Credit card numbers remain in the top 10 most popular types of stolen data traded on the dark web. The value of stolen credit card account numbers varies from $5-$110, with CVV data adding a $5 uplift, full bank information another $15 and a full package of name, birthdate, and other personal data adding another $30.

And, don’t forget – PCI DSS isn’t just for Christmas! Retailers need to ensure that audits are carried out on a regular basis and that they’re treating customers’ data with the utmost respect, or come next year, they’ll be finding someplace else to shop.

Sanjay Ramnath is the vice president of product marketing AlienVault an AT&T company.