Request Demo

PCI, DFARS

Achieve The Prioritized Approach to PCI DSS Compliance

down-arrow

PCI DSS compliance is not new for organizations who have been in the business of dealing with credit card data. From multi-factor authentication to reporting for service providers, there's something for everyone to comply to and monitor. Especially for big brands or upcoming businesses with lots of momentum, becoming the next star of another Target credit card scandal isn't something on anyone's wishlist. The fear of being the next big scandal is one reason why PCI compliance is so important, and why you and your team should take your security assessment seriously.

According to the PCI Security Standards Counsil, "PCI security standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standards apply to all organizations that store, process or transmit cardholder data – with guidance for software developers and manufacturers of applications and devices used in those transactions. The Council is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the Council, American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc." 

Some key PCI requirements on the checklist are below, including guidelines and remediation steps. We also dive into the PCI Prioritized Approach, and how you can achieve PCI Compliance.

 

PCI Requirement 1: Install and Maintain a Firewall and Router Configuration to Protect Cardholder Data

Your firewall functionality must be robust enough to thoroughly and accurately control traffick in and out of your network. Both routers and firewalls are within scope for PCI requirement 1 as long as they're used in the cardholder data environment.

  • Make sure to formalize the processes by which you test your firewalls at a determined cadence. Identify wireless and non-wireless connections to card holder data that are possible. Review your settings every 6 months at the very minimum.

  • Restrict access between any system component in the CDE and public internet access.

  • Install personal firewall software on and and all mobile and computers if owned by your employees. If they use your company Internet to access the organization’s network and sensitive data, these devices need to be protected. 

 

PCI Requirement 4: Encrypt Transmission of Cardholder Data Across Open Public Networks

Merchants and service providers must ensure the safety and security of sensitive information especially when traveling across unprotected networks. Organizations can have specific challenges with PCI DSS Requirement 4. All vulnerable encryption protocols have to be removed while ensuring cardholder data is protected at the same time for inputing into publically accessible e-commerce ordering systems. Unencrypted fax or email, plus end-user messaging systems are unencrypted and unfortunately, unprotected. AKA keep your cardholder data off.

 

PCI Requirement 8.3: Two Factor or Multi Factor Authentication

We're all aware that passwords are no longer sufficient to secure access rights to sensitive data. In fact, compromised passwords are the leading cause of data breaches according to the 2016 Verizon Data Breach Investigations Report. PCI DSS 3.2 changed the two-factor authentication (2FA) requirement to multi-factor authentication (MFA), clarifying that you’re not limited to only two. Anyone with access to the cardholder data environment (CDE) has to use multi-factor auth whether they're working remotely or on premise.

Pick 2 or more of these methods to be 'PCI compliant' with this requirement:

  • A password or passphrase
  • A physcial device or smart card, token device
  • A retinal or fingerprint scan

 

The Prioritized Approach to PCI DSS Compliance

According to the PCI Security Standards Counsil Prioritized Approach document, the Prioritized Approach provides a roadmap of compliance activities based on risk associated with storing, processing, and/or transmitting cardholder data. The roadmap helps to achieve compliance, establish milestones, lower the risk of cardholder data breaches sooner in the compliance process, and helps acquirers objectively measure compliance activities and risk reduction by merchants, service providers, and others. 

The Prioritized Approach was devised after factoring data from actual breaches, and feedback from Qualifed Security Assessors, forensic investigators, and the PCI Security Standards Council Board of Advisors.

The goal of the prioritized approach is to help develop a:

  • Roadmap that an organization can use to address its risks in priority order

  • Pragmatic approach that allows for “quick wins”

  • Supports financial and operational planning

  • Promotes objective and measurable progress indicators

  • Helps promote consistency among assessors 

If you want to implement the Prioritized Approach to PCI DSS Compliance, CyberStrong can get you there with a systematic and optimized approach. CyberStrong uses credible risk data to help you prioritize your PCI control remediation plan. In addition, you'll get an AI-optimized roadmap that incorporates the controls within your existing gaps, presenting you and your team with the hightest imact and lowest cost plan of action on how to proceed.

Get a demo of the Cyberstrong Platform: Schedule a Quick Overview

 

 

You may also like

The Cybersecurity Skills Gap: The ...
on February 7, 2019

The cybersecurity skills gap is nothing new to the seasoned cyber professional. It has been widely discussed in cyber and information security circles for some time. The main flag ...

George Wrenn
The Post-Digitization CISO
on February 5, 2019

Information leaders in digital businesses, whether focusing on optimization or a full transformation, are inherently altering their position among the executive leadership. As ...

Integrated Risk Management and ...
on January 31, 2019

With technology permeating every aspect of a business, one begins to wonder what technology is reserved for digital risk management rather than the other facets of integrated risk ...

Department of Defense Launches ...
on January 29, 2019

The Defense Federal Acquisition Regulation Supplement (DFARS) mandate, specifically Clause 252.204-7012 requiring all members of the Department of Defense’s supply chain to comply ...

Digital Risk Management Frameworks
on January 24, 2019

As organizations continue to embrace digitization, security teams are faced with the challenge of keeping the enterprise secure while empowering growth and innovation. Many CISO’s ...

The Cybersecurity Impact Of The ...
on January 23, 2019

There has been a great deal of speculation around the cybersecurity posture of the nation in light of the most recent (and longest documented) government shutdown. I’ve seen two ...

George Wrenn