4 Security Tips From PCI DSS 4.0 Anyone Can Use

We Keep you Connected

4 Security Tips From PCI DSS 4.0 Anyone Can Use

Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
With the final switchover to the latest version of the credit card standard, here’s what all security professionals can draw from the changes.
March 11, 2024
To security professionals, compliance may not be the sexiest subject. It is an important one, however, for a variety of reasons. The security team are important stakeholders in governance, risk, and compliance (GRC) efforts, and thus, those efforts deserve an appropriate amount of attention within the goals and priorities of the security organization.
Lately, many compliance standards and frameworks have evolved to include requirements that look a lot more like security best practices than mere checkboxes. The PCI DSS 4.0 standard is a great example of this. How so? Let's use this standard to go through a few examples.
Before we do, let's establish who PCI DSS is for. The Payment Card Industry Security Standards Council, a group of credit card industry players, set up and administers the standard. Any entity that accepts credit card payments from PCISSC members, including Visa, Mastercard, American Express, Discover, JCB International, or UnionPay, needs to keep card users' data safe.
In other words, all businesses that accept credit card payments must comply with this standard. The latest version, 4.0, was released in March 2022, with a two-year transition period.
According to the PCI Security Standards Council, "This transition period, from March 2022 until 31 March 2024, provides organizations with time to become familiar with the changes in v4.0, update their reporting templates and forms, and plan for and implement changes to meet updated requirements." On March 31, PCI DSS 4.0 will become the only active version of the standard.
The current timing gives us a great opportunity to work through a few of the changes in v4.0, particularly as they relate to us as security professionals.
After a spate of attacks and fraud resulting from malicious third-party scripts injected into a variety of legitimate business websites, PCI DSS was updated in 2023 to include two new requirements: 6.4.3: Manage Payment Page Scripts to Prevent Skimming and 11.6.1: Deploy a Mechanism to Detect Skimming.
The first requirement, 6.4.3, dictated that companies confirm authorization and integrity of all payment page scripts, as well as keep an inventory of all scripts that justify their necessity for payment. The second requirement, 11.6.1, said that companies must alert personnel to unauthorized modification to the HTTP header and payment page a consumer's browser gets, on top of configuring a mechanism to evaluate HTTP headers and payment pages as received by consumers and running that evaluation at least weekly.
These two requirements mean that businesses will need to essentially deploy two additional controls, one protective and one detective:
Protective Control: Proactively ensure that there are no malicious scripts on payment pages (third-party or otherwise)
Detective Control: Monitor scripts on payment pages and alert when malicious scripts are detected
Aside from being a requirement of the updated standard, these two controls are also a good idea and a great way to improve an organization's security posture.
The PCI DSS Quick Reference Guide has been updated in parallel with the standard itself. For example, look at this point from requirement 1 of the "Summary of PCI DSS v4.0 Requirements 1–12" section of the document:
"Network security controls (NSCs), such as firewalls and other network security technologies, are network policy enforcement points that typically control network traffic between two or more logical or physical network segments (or subnets) based on pre-defined policies or rules. Traditionally this function has been provided by physical firewalls; however, now this functionality may be provided by virtual devices, cloud access controls, virtualization/container systems, and other software-defined networking technology."
This is a nod to the far more complex world we live in network-wise. What it means for businesses, practically speaking, is that they will need to solve for network security needs in hybrid and multicloud environments, most likely by having a distributed cloud strategy.
Requirement 6 in the Quick Reference Guide has this interesting tidbit: "Applications must be developed according to secure development and coding practices, and changes to systems in the cardholder data environment must follow change control procedures."
This screams the need for proper API security. Of course, the secure software development lifecycle (SSDLC) is an important component of this. Beyond that, though, businesses will also need to be aware when changes to systems in the environment change and establish that those changes follow proper change control procedures.
This highlights a number of important considerations for security teams:
Strict inventory and management of APIs
Mature ability to apply policies and controls consistently across all APIs in all environments
Robust API security capability to ensure that APIs are properly protected against attacks and fraud
Sophisticated API Discovery capability to ensure that APIs deployed "under the radar" can be discovered, inventoried, and managed
The ability to properly secure APIs will be a crucial one for businesses in the coming years, as APIs are rapidly becoming the linchpin of modern business.
Requirement 10 of the Quick Reference Guide stated that companies need to use logging mechanisms, saying "The presence of logs in all environments allows thorough tracking and analysis if something goes wrong. Determining the cause of a compromise is difficult, if not impossible, without system activity logs."
Now, of course, as security professionals, we know this already. But have we stopped to consider whether we have the proper level of visibility across our hybrid and multicloud environments? If we don't, how do we plan to obtain that visibility?
These are important questions that businesses need to consider as part of PCI compliance, but they are also important as part of their security strategy in general. Businesses will need to ensure that they have proper logging and monitoring across their hybrid and multicloud environments, and they will need to use that visibility to properly monitor those environments for security, fraud, abuse, and compliance issues.
The updates in v4.0 of PCI DSS are good ones. Besides updating the standard to incorporate the evolving threat landscape and the preponderance of hybrid and multicloud environments, these updates provide excellent guidance for security teams looking to improve their organization's security posture. I would argue that what is good for payment card security is good for the overall security of a business.
Joshua Goldfarb
Global Solutions Architect — Security, F5
Josh Goldfarb is currently Global Solutions Architect — Security at F5. Previously, Josh served as VP and CTO of Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team, where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh's blogging and public speaking appearances, he is also a regular contributor to Dark Reading and SecurityWeek.
You May Also Like
Assessing Your Critical Applications’ Cyber Defenses
Unleash the Power of Gen AI for Application Development, Securely
The Anatomy of a Ransomware Attack, Revealed
How To Optimize and Accelerate Cybersecurity Initiatives for Your Business
Building a Modern Endpoint Strategy for 2024 and Beyond
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
4 Security Tips From PCI DSS 4.0 Anyone Can Use
Creating Security Through Randomness
Cyber Insurance Strategy Requires CISO-CFO Collaboration
CISO Sixth Sense: NIST CSF 2.0’s Govern Function
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.