On 1st January 2015, the Payment Card Industry Data Security Standard (PCI DSS) 3.0 came into force. While it was initially introduced in January 2014, businesses were able to take a year to ensure that this was implemented appropriately. This standard ensures that any business that stores or processes credit and debit card information has the highest level of security in place to protect them and their customers from increasingly sophisticated threats. A big concern previously was that many organisations were viewing compliance as a one-off obligation, taking a check-box approach and leaving security as a mere afterthought once certification had been achieved. What this standard reinforces is that security must be an ongoing, active process. However, complying with such stringent regulations isn't an easy task.
The standard dates back to as early as the late 1990s, when Visa became the first card company to create a security standard for merchants conducting online payment transactions. The other leading companies soon followed suit, with all five major card brands joining forces in December 2004 to create PCI DSS 1.0, a set of mandatory compliance regulations for any business processing payments. There have been five updates since to help tackle new risks and clarify existing rules. The first in three years, PCI DSS 3.0 addresses password requirements, highlights the importance of provider compliance and helps businesses integrate compliance best practices without disrupting day-to-day processes.
In order to comply with PCI DSS 3.0, a shift is needed in the way network security is addressed – organisations need to realise that traditional defences are incapable of quickly adapting to emerging threats, rendering them inadequate when faced with today's rapidly evolving threat landscape. Indeed, if you take a look at PCI DSS requirement 5, it's now imperative that organisations implement a ‘defence in depth' strategy and deploy additional controls that detect and block advanced attacks. While perimeter security measures undoubtedly still have a role to play in reactively defending networks, they will not stop sophisticated hacks aimed at stealing valuable information. Businesses need to be proactive and take more responsibility in gaining full visibility into their networks.
Let's also consider PCI DSS 3.0 requirement 11, which states that organisations must implement a process that enables them to respond to any abnormalities as soon as they're detected. Identifying malicious behaviour indicative of an initial compromise or attempted data breach requires the entire infrastructure involved in card processing to be properly instrumented and monitored for anomalous activity. This includes everything from Point-of-sale (POS) system endpoints to the payment processor, as well as all back-office and network infrastructure.
For example, when a piece of malware is installed on a POS system, it might reach out to a Command and Control server – an abnormal communication from the POS. Or the malware might initiate suspicious process activity and/or make changes to the POS's file system. In both of these scenarios, inconsistent activity will be revealed, which, when properly monitored and analysed, will alert organisations that a breach is being attempted.
Network communications between components in the card processing chain also need to be tightly controlled and monitored; a process that is specifically mandated by PCI DSS. Because each component of the payment process is so specific in what it does, identifying unauthorised network communications is relatively easy to spot. For example, POS endpoints should only be engaged in specific communication, such as with back-office systems or third-party processors. When a new type of network communication is observed, such as malware attempting to phone home or a malicious actor attempting to exfiltrate data, security personnel can be immediately notified.
By properly monitoring the entire IT infrastructure involved in processing credit card transactions, administrators can identify any malicious activity in the payment processing chain. The systems involved in these transactions have very specific purposes, and should be behaving in very limited and predictable ways. Whether an insider is accessing data they shouldn't be, malware is running and exfiltrating data, or a simple firewall misconfiguration is exposing a back-office server to the internet, the endpoints and/or the network's behaviour will change. The enforcement of PCI DSS 3.0 is ultimately helping businesses strengthen their security strategies so that they can recognise changes of behaviour as they happen, and subsequently stop attacks against their payment processing chain before they are compromised.
Ross Brewer, vice president and managing director of international markets, LogRhythm