Best practices for complying with PCI DSS 4.0

May 13, 2022
New standards intended to promote security as a continual practice, not an annual checklist event

It’s not breaking news that payment fraud is on the rise. According to the Association of Financial Professionals (AFP)’s latest report, nearly 75% of organizations were targets of a payments fraud attack in 2020. IBM’s 2021 Cost of a Data Breach Report put the average total cost of such cyber breaches at $5.72M for financial services.

And despite global compliance standards and frameworks designed to mitigate the risk of attack, payment fraud activity continues to increase gradually year on year. Companies are not yet achieving security from compliance. But why is this?

As digital becomes the desired transaction method for consumers and companies, lawmakers have introduced more and more practices that scrutinize how online data is shared and stored to decrease risk. Today, any company that accepts payments from major credit cards is subject to comply with standards set forth by the Payment Card Industry Security Standards Council (PCI SSC) - which has recently released version 4.0 of its Data Security Standard (DSS) to:

  • Continue to meet the security needs of the payment industry
  • Promote security as continuous process
  • Add flexibility for different methodologies
  • Enhance validation methods

PCI DSS 4.0 boasts some of the most significant changes to the standard since 2004, reflecting the increase in risk the industry now needs to mitigate. Indeed, the changes ensure the standard continues to meet the complex, ever-changing landscape of payment security, and of particular note is the council’s push to make security a continuous process. The flexibility to use different methodologies to achieve continuous security and enhance validation of compliance is also the bedrock of the new standard.

A key change for every business that needs to comply with PCI DSS 4.0 is to move past the idea that compliance is an annual tick box event and use the compliance requirements as a way to deliver better network security, every day. This is the only way to effectively protect the business against increasingly frequent and/or sophisticated attacks.

Moving towards a continuous approach requires organizations and their network security and compliance teams to enhance and, in many cases, re-develop their assessment processes and invest in security automation, if they haven’t already done so. To take one essential example; network owners need a way to accurately and continuously validate the security of their network devices. This requires vulnerability management software that can identify misconfigurations and continuously prioritize remediation based on risk, according to the best practices in the PCI DSS 4.0 risk management framework.

So here are three network security best practices that can help businesses achieve compliance with the new version of the framework:

1. Implement network segmentation. First and foremost, the PCI Council has already identified through its focus on PCI compliance for the Cardholder Data Environment (CDE), that effective network segmentation is key to minimizing security and compliance risks. Segmentation prevents lateral movement within the network, so an organization can limit its attack surface and therefore limit the amount of damage caused if there is an attack. It also helps teams manage which segments need to comply with specific compliance standards. Many organizations who hold financial data use PCI-compliant firewalls to separate cardholder data environments from other parts of the network. Segmentation is a valuable strategy for keeping the network secure and being more confident about meeting compliance goals. Segmenting other critical parts of the network beyond the CDE will ensure you significantly reduce non-PCI business risk associated with a breach of the confidentiality, integrity, or availability of critical operational systems and/or data.

2. Where automation allows - abandon sampling. Traditionally, organizations have demonstrated compliance to PCI DSS by auditing a sample of devices and assuming the sampled results are representative of the entire network/CDE.  This is an inherently risky approach, as it does not provide anywhere near a complete picture. It’s why the new protocols recommend that sampling should not be used where automation allows. This is a key shift in approach that along with adopting a zero-trust mindset (see next point) will deliver security from PCI DSS 4.0 compliance.

3. Adopt a zero-trust mindset. As well as moving away from sampling, PCI DSS 4.0 promotes security as a continuous rather than annual process.  This aligns with security best practice principles like zero trust, which assumes the perimeter has been breached and you can no longer trust and therefore need to verify all of your network devices within the CDE or wider network - every day.

This reflects the risk configuration drift poses, where network engineers make changes to meet operational requirements, resulting in device configurations drifting out of compliance with policy, creating unintended security risks. As firewalls, routers and switches are integral to effective network segmentation and attack surface reduction, then businesses need to implement automated ways to continuously detect configuration drift.

However, automating the assessment process is just the start. To deliver effective zero trust security from continuous compliance assessments of the CDE, companies need tools that can deliver accurate, risk prioritized, remediation advice. They need to know which vulnerabilities pose the most risk - not just to their compliance status but to their security posture. And they need to know how to fix them. Only then can they inform remediation workflows in such a way as to maintain or improve their levels of both security and compliance.

While none of this is rocket science and is entirely feasible with the right toolset and processes in place, it’s not something that all organizations have traditionally found easy. According to a report by Verizon, in 2019, only 27.9% of global organizations maintained full compliance with PCI data security standards (DSS) – a decline for the third year in a row. And this was before the added requirement to shift to security as a continuous process. So, the added flexibility of methodology and validation methods that 4.0 allows is going to be key to enabling more companies to demonstrate compliance.

Ultimately, as Covid-19 has accelerated the speed with which digital has become the preferred means of payment for the vast number of consumers and companies, electronic payments will only increase, and more data will be shared and stored.

Consequently, regulators and lawmakers worldwide will continue to subject companies’ compliance practices to greater scrutiny to ensure they are delivering the desired security, so businesses need to automate foundational cyber hygiene to minimize risks, protect CDEs from preventable attack, and keep payment card data safe.

If organizations achieve the continuous network security processes to comply with PCI DSS 4.0, they’ll be in a much, much better place, and their networks and data will be much more secure.

About the Author:

Phil Lewis, CEO of Titania, has a proven track record in Strategic Risk Management starting with Deloitte, then with market leading telecoms, law enforcement and cybersecurity firms before leading Titania’s global expansion, as specialists in accurate, automated network configuration risk assessments.  He is passionate about enabling organizations to deliver network security from compliance automation by helping them prioritize the remediation of the most critical risks to their business first.