Today, it seems like cash is a thing of the past, with most shoppers relying on credit cards or even mobile payment to complete transactions for both physical and online purchases. With the rise of these forms of payment, retailers are responsible for protecting their customers’ critical data from threat actors lurking around every corner, ready to siphon off sensitive personal information. Material breaches, those that jeopardize numerous records or have a significant impact on business operations, are even up 24.5%, with retailers suffering the most across all industries.

Enter the Payment Card Industry Data Security Standard (PCI DSS): the gold standard for compliance for all companies that store, transmit and process cardholder data, designed to improve security sensitive user data. Along with changing regulations for government agencies, retailers are preparing to navigate the next major update: PCI DSS 4.0.

As threat actors look to retailers beginning their journey to PCI DSS 4.0 compliance, retail organizations must remember that compliance is just the start of their cybersecurity journey. While PCI DSS 4.0 provides guidance toward a stable foundation of cybersecurity best practices that protect critical customer data from new and emerging threats, retailers should build on these requirements to move from a reactive cybersecurity approach to a proactive approach.

Changing the tides of PCI DSS 4.0

Effective 2024, this PCI evolution marks the first update since 2018 that helps address many of the technology and cybersecurity evolutions the retail industry is experiencing. While the update brings many positive changes, one of the most concerning changes, in my opinion, is that Requirement 12.3.2 allows organizations to customize their approach to proving compliance with each of the security requirements. PCI-DSS.

On the surface this is explained as an evolution of the existing compensatory control model and it makes sense from that perspective. However, as a former internal PCI security assessor and practitioner at several Tier 1 merchants, this check is of concern as it is the responsibility of the Qualified Security Accessor (QSA) to determine if the approach and testing methodology of the merchant are appropriate.

In this blog post from the PCI Security Standards Council (SSC), the author states that “the custom approach is most effective when the entity has robust security processes and strong risk management practices and is able to design , document, test and effectively maintain security controls to achieve this goal.However, in my experience, QSA quality varies widely and often consists of a team of junior analysts led by a senior analyst with support from a QA team.

This approach is effective when the controls are prescriptive, but because more complex controls can be implemented and audited through this method, the ability to understand and properly assess the custom approach requires high-level resources. With the current dearth of expertise in the field, particularly in payment infrastructure and technology, I anticipate this gap will increase the time required to certify a compliance report, and this potential should be factored into the timeline. QSA and merchant timing expectations.

Bruce Schneier once said in an interview that “complexity is the worst enemy of security”. I am concerned that this tolerance for bespoke approaches will increase the complexities of a security solution and that a lack of deep domain understanding of the solution elements will inadvertently introduce more security holes that are not covered. by PCI DSS controls, due to the inability to properly test effectiveness against the original requirements as set forth in the DSS.

Retail organizations looking to take this customizable direction must consider the growing opportunities it presents to threat actors looking to exploit these non-standard routes. Additionally, the long lead time for these regulations to be implemented gives attackers a window to use the framework as a template to breach retailers before they have time to implement changes in their cybersecurity strategy.

Balance between compliance and security

As many retailers seek to tick the compliance box, they must remember to look beyond PCI DSS 4.0 standards to create an approach to cybersecurity that protects their critical assets. A proactive approach to cybersecurity strategies involves regularly assessing risk probabilities and impacts, integrating cybersecurity into enterprise-wide risk management, and working with business leaders to mitigate risk.

While taking a proactive approach to cybersecurity can seem daunting, retailers should prioritize a few key aspects to develop a holistic strategy:

  1. Risk scoring and quantification: The risk rating provides an objective measure to evaluate the security posture that takes into account a wide range of risk factors. By converting data-driven metrics and threat intelligence into an easy-to-grasp representation of actual cyber risk, organizations can better understand how secure their assets are and identify security weaknesses with the greatest financial impact. potential. With this understanding, they can better control the scope of their risk assessments mandated in Requirement 12.
  2. Prioritization of vulnerabilities: To truly understand cyber risks and prevent breaches, advanced vulnerability prioritization automatically takes into account threat intelligence, asset context, and attack path analysis. This allows for smarter and more accurate remediation strategies compared to simply considering CVSS severity. Organizations with complex environments and limited resources can target their efforts where it matters by prioritizing the vulnerabilities that pose the greatest risk. Prioritization is required by 6.3 and attack path analysis can help reduce the overall scope of the cardholder data environment (CDE).
  3. Exposure Analysis: An exposure is an exploitable vulnerability that a malicious actor can access and compromise. Exposure analysis identifies exploitable vulnerabilities and correlates them with an organization’s unique network and security controls to calculate high-risk assets exposed to threat actors. Without exposure scanning, organizations can waste a lot of time and resources searching for vulnerabilities that are unlikely to lead to a breach. Understanding network access is a fundamental tenet of DSS and is essential to accurately define CDE and avoid wasting audit resources due to failure to adequately demonstrate segmentation. Exposure analysis is a key capability to prove said segmentation and reduce reach.

By taking a proactive approach to cybersecurity alongside the latest PCI DSS updates, retailers will be armed with the right tools to protect their most critical asset: customer data. These strategies enable retail businesses to create modern cybersecurity programs that defend against the growing threats facing the industry today, such as the increase in ransomware and phishing attacks that can lead to data breaches. .


Terry Olaes is Director of Systems Engineering for North America at Skybox Security. With over 20 years of IT experience, his expertise includes IT/OT convergence, audit and compliance, data breaches and incident management. Working on the ground floor of a manufacturing plant, serving as a systems engineer, and managing large security teams has provided Olaes with a unique perspective on strengthening the IT/OT security posture. He specializes in helping organizations design the right cybersecurity strategies to help manage vulnerabilities and mitigate risk in hybrid IT, OT and cloud environments.

Source link

Leave A Reply