Retailers and online stores are a favorite target for hackers. And with good reason. Because a successful breach of a payment card system can bring them huge financial gain. Yet, in spite of the risks, merchants are still struggling to meet the demands of payment card security—where, according to the 2020 Verizon Payment Security Report, only 27.9% of organizations are currently able to maintain full compliance with the Payment Card Industry Data Security Standard (PCI DSS). At the same time, the number of card and contactless payments continue to rise, as consumer preferences steadily change in favor of plastic, mobile wallets and online shopping.
Not only that, but the retail sector is also in the throes of a digital revolution, as they migrate their applications from static on-premises hardware to complex, scalable and elastic cloud-based infrastructure. These new dynamic computing environments demand a switch in focus from conventional cybersecurity methods towards individual workload protection, API security and configuration management.
This post discusses the compliance requirements of the PCI-DSS and the implications they have for payment card systems hosted in modern hybrid-cloud and multi-cloud environments. So let’s begin.
The PCI-DSS is an information processing standard that provides a framework for protecting payment card transactions and cardholder details from fraudsters.
It specifies a set of baseline measures you must put in place to help minimize the risk of cardholder data compromise.
The standard applies to any business or organization that accepts or processes card payments. So it predominantly affects retail businesses and any company that provides software or hardware used to process transactions.
It differs significantly from data privacy laws, such as the General Data Protection Regulation (GDPR), which also affect the retail and e-commerce industry.
For example, the PCI-DSS is a security-oriented standard. By contrast, security forms just one part of data protection regulations, which also cover aspects of privacy such as privacy notices on websites, consent to add customer details to mailing lists and right-of-access requests from consumers.
The PCI-DSS was also developed by the Payment Card Industry Security Standards Council (PCI SSC)—an administrative organization formed by commercial payment network processors. However, data privacy laws are administered by governmental bodies—at state, national or international level.
The PCI-DSS sets out different pathways to compliance, each of which maps to one of four different compliance levels. The number of transactions you process a year determines your own particular compliance level.
Payment card companies may, at their discretion, issue fines for non-compliance with the PCI-DSS. In addition, a breach of the PCI-DSS is also likely to constitute a breach of applicable privacy legislation such as the GDPR or California Consumer Privacy Act (CCPA). And also potentially state laws, such as Minnesota’s Plastic Card Security Act.
So, in the event of a violation, you may be subject to a multitude of different financial penalties and sanctions.
The PCI-DSS Compliance specifies twelve technical and operational requirements as follows.
A firewall is your first line of defense, preventing potentially malicious traffic from entering your network based on a set of pre-configured rules.
However, traditional perimeter-based firewalls are no longer enough to protect your cloud assets, as there’s no clear boundary between your users and internal network.
To overcome this issue, you’ll need a cloud firewall. This works much like a conventional firewall, but has been specifically adapted to the distributed nature of the cloud, where applications are broken up into discrete components dispersed across your network environment.
Vendors of routers, POS systems and related components supply their equipment with default usernames, passwords and configurations to make installation and setup as quick and easy as possible.
This makes for an easy target for cyber-criminals.
These factory settings are readily available to fraudsters, who exploit them to gain access to internal networks and steal cardholder data. So only use your own unique login credentials and configurations to help keep the hackers out.
Also beware of using other default configurations, such as access permissions. CloudSecOps teams need to make sure that their applications and cloud workloads are not overly permissive and only give the necessary level of access to sensitive resources to reduce the attack surface.
The best way to protect cardholder information is simply to avoid storing it entirely. However, if you need it for business or legal purposes then you should take steps to render it unreadable.
The most common and practical method of achieving this is to encrypt your data. To comply with PCI-DSS, any such encryption must use the industry-standard AES-256 algorithm.
But remember your data is only as secure as the keys you use to encrypt it. So you also need to safeguard your encryption keys using an effective key management system.
And it’s also important to have a clear picture of what cardholder data you’re storing in the first place—typically through the use of data discovery tools and an inventory of your data assets.
Make sure you correctly configure each of your cloud and on-premises environments to encrypt cardholder data, using transport layer security (TLS), where it moves across the Internet between the different parts of your payment card ecosystem. Consider investing in a comprehensive cloud network security solution for public and hybrid clouds
Also bear in mind that payments via mobile devices are particularly at risk. So make sure every wireless network uses a strong password and the latest available Wi-Fi security protocol.
Your antivirus (AV) software should be capable of protecting all environments that host your payment card system—across your hybrid-cloud or multi-cloud infrastructure.
But it’s also important to be aware of the limitations of AV software.
New and more sophisticated types of threat have evolved to target cloud-based deployments. As a result, you now need a wider range of security approaches to protect cardholder details, such as cloud security posture management (CSPM) and cloud workload protection.
The purpose of Requirement 6 is to ensure you build security into your application development and lifecycle processes. This includes support for secure coding practices through training, guidelines and checklists, as well as regular reviews of any in-house or custom application code.
It also covers patch management, where provisions of the PCI-DSS state that you must install critical patches to third-party software within a month of release to maintain compliance.
You should limit the number of people who can access cardholder details to a bare minimum by only allowing those with a legitimate business need to do so.
The most practical way of doing this is to implement a role-based access control (RBAC) system, which should grant access to sensitive resources, such as cardholder data, based on the principle of least privilege.
Each authorized user of your systems should have a unique ID and password. This ensures you always know the identity of anyone who accesses cardholder data at any time.
Also bear in mind that the PCI-DSS now only permits those users with administrative privileges remote access using two-factor authentication (2FA).
When you host applications in the public cloud, you offload the responsibility for the physical security of your servers to your cloud service provider. However, you still have a responsibility to ensure the physical security of your endpoint devices.
So you should take steps to help prevent unauthorized access to payment devices and workstations through measures such as video surveillance, security policies and procedures, staff training, time-based lockout controls and making sure screens are away from view of the general public.
Logging and monitoring access to your payment card system will help you spot the early signs of suspicious activity and will also provide you with alerts and insights when things go wrong.
The needs in this area have evolved from mere visibility to observability, to not only maintain visibility over all your card processing components, but also quickly identify and remediate any issues. To accomplish this, you may need to look for new-generation monitoring tools that provide centralized visibility across your hybrid-cloud and multi-cloud infrastructure.
To complement other security measures, such as AV scanning and patch management, you should regularly check that your payment card system is robust enough to withstand potential threats
This will involve automated tools, such as vulnerability scanning and manual approaches such as penetration testing. Other testing procedures should include regular checks on card readers for skimming software and processes to identify unauthorized wireless access points. Where necessary, you should take remedial action accordingly.
A well-documented and well-communicated information security policy will help raise staff awareness of the risks to cardholder data and their responsibilities to protect it.
Relevant policies and procedures should also be incorporated into employee manuals, third-party vendor agreements, risk assessments and incident response plans.
PCI-DSS compliance is a necessity for any organization that accepts card payments. But, while it demonstrates you’ve met baseline requirements for handling cardholder data, it doesn’t necessarily guarantee full protection.
Moreover, digital transformation and cloud migration have shifted the security goalposts. So you need to look beyond box-ticking exercises and traditional methods of security.
This calls for new solutions that are adapted to the complex and dynamic nature of hybrid-cloud and multi-cloud deployments.
For example, you should consider a cloud workload protection platform (CWPP), which protects individual applications as well as the processes and resources that support them. You should complement this with a Cloud Security Posture Management (CSPM) solution, which can identify security risks by continuously monitoring and benchmarking configurations against best practices and compliance requirements.
And you should also protect cardholder against today’s new and increasingly sophisticated threats with a solution that provides cloud network security capabilities.
Above all, you should look for tools that provide continual protection rather than simply to achieve once-per-year compliance—with unified visibility across all components of your payment card system from a single pane of glass.