Request Demo

PCI, Cybersecurity Frameworks

Achieve The Prioritized Approach to PCI DSS Compliance

down-arrow

PCI DSS compliance is not new for organizations who have been in the business of dealing with credit card data. From multi-factor authentication to reporting for service providers, there's something for everyone to comply to and monitor. Especially for big brands or upcoming businesses with lots of momentum, becoming the next star of another Target credit card scandal isn't something on anyone's wishlist. The fear of being the next big scandal is one reason why PCI compliance is so important, and why you and your team should take your security assessment seriously.

According to the PCI Security Standards Counsil, "PCI security standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standards apply to all organizations that store, process or transmit cardholder data – with guidance for software developers and manufacturers of applications and devices used in those transactions. The Council is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the Council, American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc." 

Some key PCI requirements on the checklist are below, including guidelines and remediation steps. We also dive into the PCI Prioritized Approach, and how you can achieve PCI Compliance.

 

PCI Requirement 1: Install and Maintain a Firewall and Router Configuration to Protect Cardholder Data

Your firewall functionality must be robust enough to thoroughly and accurately control traffick in and out of your network. Both routers and firewalls are within scope for PCI requirement 1 as long as they're used in the cardholder data environment.

  • Make sure to formalize the processes by which you test your firewalls at a determined cadence. Identify wireless and non-wireless connections to card holder data that are possible. Review your settings every 6 months at the very minimum.

  • Restrict access between any system component in the CDE and public internet access.

  • Install personal firewall software on and and all mobile and computers if owned by your employees. If they use your company Internet to access the organization’s network and sensitive data, these devices need to be protected. 

 

PCI Requirement 4: Encrypt Transmission of Cardholder Data Across Open Public Networks

Merchants and service providers must ensure the safety and security of sensitive information especially when traveling across unprotected networks. Organizations can have specific challenges with PCI DSS Requirement 4. All vulnerable encryption protocols have to be removed while ensuring cardholder data is protected at the same time for inputing into publically accessible e-commerce ordering systems. Unencrypted fax or email, plus end-user messaging systems are unencrypted and unfortunately, unprotected. AKA keep your cardholder data off.

 

PCI Requirement 8.3: Two Factor or Multi Factor Authentication

We're all aware that passwords are no longer sufficient to secure access rights to sensitive data. In fact, compromised passwords are the leading cause of data breaches according to the 2016 Verizon Data Breach Investigations Report. PCI DSS 3.2 changed the two-factor authentication (2FA) requirement to multi-factor authentication (MFA), clarifying that you’re not limited to only two. Anyone with access to the cardholder data environment (CDE) has to use multi-factor auth whether they're working remotely or on premise.

Pick 2 or more of these methods to be 'PCI compliant' with this requirement:

  • A password or passphrase
  • A physcial device or smart card, token device
  • A retinal or fingerprint scan

 

The Prioritized Approach to PCI DSS Compliance

According to the PCI Security Standards Counsil Prioritized Approach document, the Prioritized Approach provides a roadmap of compliance activities based on risk associated with storing, processing, and/or transmitting cardholder data. The roadmap helps to achieve compliance, establish milestones, lower the risk of cardholder data breaches sooner in the compliance process, and helps acquirers objectively measure compliance activities and risk reduction by merchants, service providers, and others. 

The Prioritized Approach was devised after factoring data from actual breaches, and feedback from Qualifed Security Assessors, forensic investigators, and the PCI Security Standards Council Board of Advisors.

The goal of the prioritized approach is to help develop a:

  • Roadmap that an organization can use to address its risks in priority order

  • Pragmatic approach that allows for “quick wins”

  • Supports financial and operational planning

  • Promotes objective and measurable progress indicators

  • Helps promote consistency among assessors 

If you want to implement the Prioritized Approach to PCI DSS Compliance, CyberStrong can get you there with a systematic and optimized approach. CyberStrong uses credible risk data to help you prioritize your PCI control remediation plan. In addition, you'll get an AI-optimized roadmap that incorporates the controls within your existing gaps, presenting you and your team with the hightest imact and lowest cost plan of action on how to proceed.

Get a demo of the Cyberstrong Platform: Schedule a Quick Overview

 

 

You may also like

What is the CCPA and Who Must ...
on August 30, 2019

Following the European Union's General Data Protection Regulation (GDPR), and falling in line with the privacy laws of Massachusetts, Vermont, Ohio and many others, California's ...

Alison Furneaux
CISOs in the Boardroom: ...
on September 3, 2019

This week, I had the opportunity to speak at the ISACA 2019 Governance Risk and Control Conference in Ft. Lauderdale, FL. Having spent a career as both a cybersecurity ...

George Wrenn
Why GRC Needs IRM
on September 3, 2019

Today, every organization strives to optimize the speed with which they access information. Data is being stored, processed, transmitted and utilized in almost every day-to-day ...

Alison Furneaux
SSP and POAM Guidance for DFARS ...
on August 29, 2019

Defense federal acquisition regulation supplement (DFARS) Compliance has been top of mind for Prime contractors as well as Department of Defense (DoD) suppliers since before the ...

Alison Furneaux
Integrated Risk Management Magic ...
on September 3, 2019

It has been roughly one year since Gartner released the 2018 Magic Quadrant for Integrated Risk Management, the first of its kind, and as of this week the second Integrated Risk ...

Alison Furneaux
"Glass-box" Solutions Are Critical ...
on September 3, 2019

With the likes of Equifax and Marriott, it is no secret that cybersecurity has made its way into the Boardroom. While many executives are experienced in managing myriad business ...