PCI DSS requirements companies hate to implement, and why we should embrace them

Most organizations initially approach PCI DSS compliance because they have to. Perhaps a business partner, customer, or their acquiring bank requested an update on compliance status. Regardless of the reason an organization initially begins working toward PCI compliance, when dealing with PCI compliance efforts, organizations can rationalize their approach in different ways:

“Just pass the requirements to get certified now and fine-tune the program after,”

“Incorporate PCI compliance from the start to ensure we maintain compliance in the future”, or

“Map and Integrate current cybersecurity practices to PCI requirements.”

One significant hurdle in these situations is how to implement and meet the requirements with as little push back as possible, a.k.a. the human resistance to change. Not only does the compliance effort have to meet the PCI Council’s requirements, but compliance is also required to balance the effective implementation of the PCI controls with as little impact on system users as possible (the unspoken rule of compliance integration) while still ensuring the assessment is successful.

Poor implementation relates to real-world breaches

In September 2019, the Payment Card Industry Security Standards Council (PCI SSC) held its annual Community Meeting for North America to convey the latest information about the PCI standards and to solicit feedback from the largest merchant and QSA firms regarding the planned changes. Amidst all of the news and updates about the next versions of PCI DSS, P2PE, and the Software Security Standards, one lesser-noted session during the Community Meeting was a look at how the lack of proper implementation of PCI requirements directly related to real-world breaches.

The PCI Council shared data on some industry trends based on the Payment Card Industry Forensic Investigator (PFI) program, which echoed this year’s Data Breach Investigations Report (DBIR) released by Verizon. The Council’s analysis presented trends that have (unfortunately) mostly not changed since 2016, showing that failure to properly implement or maintain PCI requirements 5, 6, 8, 10, and 11 all directly contributed to multiple breaches of credit card data. These trends identified by the PCI’s PFI analysis match up closely with the findings outlined in the Verizon Breach report, including data indicating that most breaches occur through Web Applications, Backdoors, or Command and Control (C2), and via the use of stolen credentials.

Reasons to Implement and Maintain PCI Requirements

Here’s a quick analysis of the specific PCI requirements that are often reviled by PCI compliance programs and some reasons why, as well as a look at why they are essential, starting with Requirement 5.  

PCI Compliance Requirement 5

  • Where the Hate Lies – Fine-tuning the malware solution used on endpoints to meet organizational needs without impeding end-user flexibility to send or receive an e-mail, while also not giving off the feeling that Information Technology or “The Man” is reading the end-user’s e-mail. 
  • The Compliance Concern – Malware can be deployed and leveraged in several ways to infiltrate an organization’s environment, which then can be used to establish or advance attacks on the organization’s network. Based on PCI’s PFI analysis, e-mail is the most common entry point for deploying malware into an organization.  

PCI Compliance Requirements 6 and 11

  • Where the hate lies: Understanding all of the payment channels and organizational processes for handling credit card payments and ensuring the processing ecosystem has properly implemented safety controls (defense-in-depth, proper training and oversight of the development team, and system patching).
  • The compliance concern: Attackers and malicious users need a starting point from which to launch an attack, such vulnerable servers, applications, or stolen credentials. Organizations should ensure that ASV scan results and application and penetration test findings are remediated in a timely manner. The Council’s PFI analysis suggested that vulnerability management has been and continues to be one of the leading contributors to reported breaches. The DBIR revealed that of the hundreds of organizations that were included in the report, most failed to remediate 50 percent or more of the vulnerabilities identified in vulnerability scan reports within 90 days of their identification, and interviews conducted with cybercriminals revealed that they often use the same cybersecurity blogs as security practitioners to gain information of known vulnerabilities and to gain valuable insight on companies struggling to address those issues.

Multifactor Authentication, How I Loathe Thee

PCI Compliance Requirement 8

  • Where the hate lies: Multifactor Authentication for “everything.” The hate usually doesn’t come from end-users, who have come to expect MFA to be imposed upon them; it is often the administrators managing the PCI systems daily. “We know what we are doing, why do we have to jump through all the extra hoops?”
  • The compliance concern: The DBIR noted that 62% of breaches involved the use of stolen credentials (including administrator credentials), brute force, or phishing. PCI has required organizations to deploy multifactor authentication through all systems that support the organization’s Cardholder Data Environment. Effectively implementing MFA will mitigate the impact of stolen credentials across the organization.

PCI Compliance Requirement 10

  • Where the hate lies: Logging and alerting on systems and applications within an organization’s Cardholder Data Environment results in data, data, and more data. Who is going to decipher all the data that has been collected? Who is going to be notified once the alerts are created, and who is responsible for the investigation of the alerts?
  • The compliance concern: 56% of breaches went undetected for a month or longer before they were discovered. Incidents that involve the theft of physical devices or removable hardware are easily noticed and reported. Still, incidents that had data exported in some manner from network assets were harder to detect and took longer to contain or remediate due to the overwhelming amount of data that needed to be reviewed to identify the incident facts.

While reading the PCI DSS requirements and contemplating the love/hate struggles that organizations face on an annual, quarterly, monthly, or even daily basis, did any of these challenges resonate with you? If so, your next course of action should include education, communication, professional services, or a combination of the above. Contact LBMC Information Security, and we can help you eliminate the hate.