Secure Payment: PCI Compliance How to Guide Mobile

PCI COMPLIANCE DOES NOT ALWAYS EQUAL SECURITY

Apply a Risk-Centric Focus to Achieve a Holistic and Secure Payment Program.

Introduction

Merchants and cyber attackers are competing for data; it’s the new currency. Think beyond the obligatory 12 Payment Card Industry Data Security Standard (PCI DSS) requirements and evolve to a secure payment lifecycle that is innately compliant.

Merchants who think beyond a PCI checklist and embrace a unique, holistic Secure Payment approach by leveraging their existing PCI compliance foundations and technology investments, while incorporating leading cyber security best practices will achieve a secure payment lifecycle. In addition, they will innately gain compliance, which will enable them to address challenges such as consumer experience, data privacy and business-wide data protection.

Why It Matters

Install and Maintain a Firewall Configuration to Protect Cardholder Data

Build, deploy and test firewall and router configurations to protect all connections to cardholder data.

Assume security does not end at layer 3 and add application layer firewalls, separate administrative functions and use two-factor authentication.

Best Practice Recommendation

48% of breaches featured hacking and 73% of breaches were perpetrated by outsiders.*

Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters

Protect against unauthorized entry by changing vendor-supplied defaults before installing a system on the network.

Designate system hardening through secure build standards to ensure unnecessary default system settings are disabled or properly configured.

Best Practice Recommendation

Requirement 01

Requirement 02

81% of hacking-related breaches leveraged either stolen and/or weak passwords.*

Protect Stored Cardholder Data

Only 77.9% of companies continue to sustain compliance to requirement three after passing a previous PCI validation.*

Store cardholder data only when it’s absolutely necessary. Otherwise, protect cardholder data and prevent unauthorized use by limiting storage and retention time.

Implement network segmentation with controls for the entire OSI model and cell-level encryption for data at rest.

Best Practice Recommendation

Requirement 03

Encrypt Transmission of Cardholder Data Across Open, Public Networks

Implement strong encryption, cryptography and security protocols to render transmitted cardholder data unreadable by any unauthorized person.

Requirement 04

Encrypt all data based on a zero-trust model that assumes all data can be compromised and implement tokenization.

Best Practice Recommendation

Encryption can reduce the cost of a data breach by nearly 9%.*

Use and Regularly Update Anti-Virus Software

Malware continues to be the largest threat launched by threat actors at 48%.*

Install and regularly update anti-virus programs to prevent malware from infecting systems.

Augment the latest anti-virus software with a more proactive solution such as application whitelisting software that includes the enemy’s perspective.

Best Practice Recommendation

Requirement 05

Develop and Maintain Secure Systems and Applications

Ensure all critical system components and software are protected by applying vendor-supplied, security patches to protect payment card infrastructure system.

Requirement 06

Establish a software development lifecycle program that sets out a process for planning, creating, testing and deploying applications.

Best Practice Recommendation

64% of enterprises say they are either very concerned or concerned they will be hacked through an application.*

Restrict Access to Cardholder Data by Business Need-to-Know

12% of breaches were caused by privileged misuse.*

Ensure critical data is accessible only to authorized personnel by implementing systems and processes to limit access based on need to know and job responsibilities.

Integrate privileged access management (PAM) and authentication solutions with a user and entity behavior analytics solution.

Best Practice Recommendation

Requirement 07

Assign a Unique ID to Each Person with Computer Access

Ensure actions taken on critical data and systems are performed by, and can be traced to, known and authorized users by assigning a unique ID to each person with computer access.

Requirement 08

Assign ownership of service accounts and manage them through an identity, governance and administration (IGA) workflow.

Best Practice Recommendation

Optiv acquired access to client systems through weak or default credentials in 40% of client penetration tests performed in the second quarter of 2018.*

Track and Monitor All Access to Network Resources and Cardholder Data

Implement logging and log monitoring to track user activities to prevent, detect and minimize the impact of data compromises.

Requirement 10

Monitor the infrastructure continuously to provide the earliest possible detection of anomalies.

Best Practice Recommendation

Companies’ ability to sustain compliance with requirement 10 dropped the most of any requirement from last year to this year. Furthermore, in post-breach assessments, non-compliance with requirement 10 was nearly 89%.*

Regularly Test Security Systems and Processes

Compliance against requirement 11 has been the most difficult to sustain compared to all other requirements for at least the past two years.*

Frequently test system components, processes and custom applications to ensure security is maintained over time.

Boost security vigilance with iterative, differential attack and penetration testing.

Best Practice Recommendation

Requirement 11

Maintain a Policy that Addresses Information Security for Employees and Contractors

Establish, publish, maintain and disseminate a security policy that addresses all PCI DSS requirements.

Requirement 12

Develop a formal payment security program that details responsibilities and accountability. This program should include policies and optimized technologies to establish clear incident management, secure Software Development Life Cycle (SDLC), Identity and Access Management (IAM), continuous pen testing, and training and awareness to enable simplified, qualified security assessor (QSA) audits.

Best Practice Recommendation

33% of organizations are still treating PCI Security compliance as an annual project. Worse still, 18% of organizations attempt to manage PCI Security without a defined compliance program or project structure.*

Contact Optiv to Help You Develop a Secure Payment Program and Perform a Risk Assessment.

A holistic and secure payment program goes beyond meeting an obligatory checklist and puts a risk-centric focus on payment security. The truth is, compliance does not always equal security. IT departments are challenged with prioritizing security programs and supporting digital transformation initiatives. What organizations should be striving for is tighter integration of security and compliance, with a laser focus on data protection, enabling merchants to advance their security maturity and more: • • • •

DOWNLOAD

Optimize compliance and security budgets while reducing competition among security priorities. Assess and address risk in line with business needs and priorities. Meet data privacy and data protection requirements while maintaining compliance. Activate security program agility by leveraging existing technologies and PCI standards.

Restrict Physical Access to Cardholder Data

11% of breaches involved physical actions which includes theft.*

Limit and monitor access to systems through the use of appropriate physical controls to the card data environment.

Assess, review, verify – and update if necessary – the effectiveness of physical access controls, especially with respect to on- and off-boarding personnel, visitor policies and storage/distribution of cardholder data.

Best Practice Recommendation

Requirement 09

* Verizon Data Breach Investigation Report, 2018.

* Verizon Data Breach Incident Report, 2017.

* Verizon Payment Security Report, 2018.

* Ponemon Cost of a Data Breach, 2018.

* Optiv Cyber Threat Intelligence Estimate, 2018.

* Verizon Data Breach Investigation Report, 2018.

* Verizon Payment Security Report, 2018.

* Ponemon Study on Application Security, 2018.

* Observations from aggregated Penetration Tests performed by Optiv, 2018.

* Verizon Payment Security Report, 2018.

Read the Optiv Secure Payment White Paper

Optiv Global Headquarters 1144 15th Street, Suite 2900 Denver, Colorado 80202 800.574.0896 www.optiv.com