PCI 4.0 is on its way: here’s how you can get ready
Following years of rumors, the Payment Card Industry Security Standards Council (PCI SSC) is now targeting a Q1 2022 publication date for the release of PCI DSS 4.0, the newest iteration of its globally standardized data security standards. This will be the first full update of PCI DSS since 2015, and raises new questions for organizations aiming for full PCI compliance.
According to the council, PCI DSS 4.0 will support an ever-evolving and increasingly cloud-based range of payment environments, technologies, and methodologies. It will also offer more flexibility to support varied security methodologies. Yet insiders are also concerned that these new standards will bring with them even more stringent compliance guidelines. In particular, there are fears that some of the stricter extra requirements, currently part of the designated entities supplemental validation (DESV) requirements, will soon be brought under the umbrella of standard PCI DSS.
Not complying simply isn’t an option. Beyond fines and reputation loss, PCI DSS compliance is one of the best ways to protect your business from cyber risk of all kinds. One report by Verizon claimed that, “Of all the companies investigated by our forensics team over the last 10 years following a breach, not one was found to have been fully PCI DSS compliant at the time of the breach.”
Yet according to some sources, only 36.7% of organizations collecting credit card data are fully compliant with PCI DSS.
Given the major potential impact of not complying, there is a clear need for tools that can help your organization reach full compliance—and stay there—as easily and efficiently as possible.
Let’s explore a few of the primary requirements of PCI DSS and then delve into the ways Vulcan Cyber®, the world’s first SaaS platform for risk remediation, can help make compliance hassle-free.
What is PCI DSS?
PCI DSS is, at its heart, a list of 12 requirements, grouped into six categories:
- Build and maintain a secure network.
- Protect cardholder data.
- Maintain a vulnerability management program.
- Implement strong access control measures.
- Regularly monitor and test networks.
- Maintain an information security policy.
Each of these areas contains numerous directives—in fact, there are 281 altogether, as listed in the most current PCI DSS guidelines.
That may make keeping up with every single rule and regulation seem like an impossible task. Given the magnitude of the responsibility involved in processing and transferring cardholder data in full compliance with PCI DSS, you may find it helpful to focus on the most essential areas first, like vulnerability management.
How the Vulcan Cyber risk-based remediation platform can ensure PCI DSS compliance
A fully-featured vulnerability management platform can make many other aspects of PCI DSS compliance even easier than you might imagine.
Here are four ways Vulcan Cyber makes that happen:
#1 Boosting discoverability
The very first category of PCI DSS is building and maintaining a secure network and systems. This may seem obvious—because it’s impossible to defend an environment you are not fully aware of. Yet the task is not as simple as it may seem.
For most organizations, this phase begins by mapping the network in all its complexity. As stated in the current PCI DSS guidelines, “Without current network diagrams, devices could be overlooked and be unknowingly left out of the security controls implemented for PCI DSS and thus be vulnerable to compromise.”
Discoverability of assets presents many challenges, especially in today’s distributed networks, in which boundaries are increasingly meaningless. Two of the main obstacles with many asset scanning tools are:
- They aren’t always configured properly, leaving some assets unscanned.
- They don’t let you know which assets have direct significance for PCI DSS compliance.
With a full range of asset discovery and management features, Vulcan Cyber goes deeper, picking up PCI assets that might go unscanned otherwise. It then lets you tag and track PCI assets and gives you a clear view into all assets in your network, including integration with a variety of tools (e.g., VA tools, CMDBs, and Cloud inventories).
The platform also tracks relevant information related to all your OSs and applications, giving your team the tools they need to harden your systems and remain vigilant for vulnerabilities as they’re discovered.
#2 Prioritizing risk
One of the most central PCI DSS requirements is maintaining a vulnerability management program. This includes, according to the official guidelines, establishing “a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as ‘high,’ ‘medium,’ or ‘low’) to newly discovered security vulnerabilities.”
Risk ranking must be based on industry best practices, such as CVSS base score, vendor classification, the type of systems affected, along with consideration of potential impact on your organization.
At a minimum, PCI DSS guidelines advise adopting a security platform that will identify all high risk and critical vulnerabilities. These will vary from organization to organization depending on the devices and processes that are used to store, process, and transmit cardholder data, including security systems, public-facing devices and systems, and databases.
But identifying vulnerabilities, regardless of risk level, doesn’t go far enough. If you’re not remediating 100% of vulnerabilities in your environment, you’ll probably find it hard to comply in other areas as well.
Vulcan Cyber combines two methods to let you focus on the most critical vulnerabilities:
- Lets you customize risk parameters, combining the industry’s most business-relevant vulnerability prioritization algorithms with streamlined remediation.
- Provides advanced remediation intelligence based on playbooks, drawing on data-driven recommendations and task statuses to trigger the workflows you need to fix vulnerabilities.
This comprehensive, risk-based approach leaves you with fewer vulnerabilities to remediate, along with less risk in the environment as a whole. Why? Because you’re actually remediating the top threats to your business activities.
Prioritizing risk as a major security component was a new element in PCI DSS 3.0 when it was introduced, and this aspect is sure to be clarified even further when PCI DSS 4.0 is introduced. Therefore, by implementing a risk-based approach now, you’ll actually be moving your organization closer to full compliance—without having to wait for 4.0.
#3 Meeting cyber hygiene SLAs
One of the top priorities of PCI DSS is establishing and following clearly defined internal processes for handling vulnerabilities. One way of doing this is by establishing SLAs related to vulnerability management and risk remediation.
Vulcan Cyber helps establish clear internal SLAs for risk remediation workflows: Who does what, in which sequence, and the mandated time frame. You’ll have the metrics you need to define and track reasonable SLAs based on factors like risk tolerance, asset criticality, and vulnerability prioritization. And you can track these results over time to ensure that your team is continuing to deliver—and to troubleshoot if not.
Here are just a few ways Vulcan Cyber helps you achieve this target:
- Customizable SLAs, defined by vulnerability criticality.
- Alerts are integrated with your existing email or Slack configuration.
- Automated alerting when SLA is breached.
- New PCI DSS “high-risk” or higher vulnerability level opens a Jira/ServiceNow ticket.
All these features work together to ensure that you can act quicker and reduce total time to remediation. Plus, Vulcan Cyber gives you advanced remediation intelligence based on playbooks, drawing on data-driven recommendations and task statuses, to trigger necessary workflows.
#4 Creating total clarity
If there’s one thing many organizations struggle with when they’re working on PCI DSS compliance, it’s visibility. The current requirements demand that you regularly monitor and test all PCI DSS-related networks. Without clarity into your security posture, the guidelines state, “Failures may go undetected for extended periods and provide attackers ample time to compromise systems and steal sensitive data from the cardholder data environment.”
The best way to achieve the clarity you need is through an integrated dashboard that lets you see and drill down into your entire environment from a single pane of glass. With its integrated all-in-one platform, Vulcan Cyber gives you clear, readable results and reporting, including:
- Simplified total risk score for quick environment health checkups
- Filterable view of existing vulnerabilities to eliminate noise
- Sortable view of vulnerabilities to list by criticality and prioritization
And should you need to exclude vulnerabilities for any reason—including mitigation, acceptable risk, false positives, and more—you’ll be able to easily see all vulnerabilities excluded, along with explanations for the exclusion. This is essential in meeting numerous regulatory standards, including PCI DSS, SOX, and others.
You’ll have everything you need in one place: applications, infrastructure, penetration testing reports: Vulcan Cyber aggregates everything going on in your network to help make sure nothing falls between the cracks.
And if your organization ever faces a PCI DSS audit? While the prospect can be terrifying, and create work for your team in the short term, having Vulcan Cyber in place for visibility and reporting will make the process far simpler.
The platform gives you power and flexibility, letting you produce reports for auditors that focus solely on PCI assets, or go beyond, exploring performance metrics on all levels to ramp up the maturity of your security program as a whole.
But the benefits of Vulcan Cyber go far beyond audit and accountability, helping you manage risk on a daily basis, protecting cardholder information along with other sensitive data within your organization.
Vulcan Cyber: going beyond compliance
As we’ve explored here, PCI DSS 4.0 probably won’t bring any huge surprises. The industry is moving in a direction where transparency, automation, and risk prioritization will simply become expected tools of business for any organization handling sensitive cardholder data.
While it seems likely that PCI DSS 4.0 will introduce stricter guidelines in this direction, using a risk-based remediation platform will ensure that you’re prepared.
And as we’ve seen, PCI DSS compliance isn’t the only benefit of the Vulcan Cyber end-to-end risk remediation platform. At a time when end users are increasingly aware of the expanding dimensions of cyber crime, PCI DSS also offers your organization a number of additional benefits:
- Gives consumers the confidence to conduct transactions.
- Protects consumer data, freeing you from liability and fines.
- Establishes industry-wide standards to encourage best practices.
If you’re like most organizations, data is your most valuable asset; Vulcan Cyber can help you protect this precious asset in a whole range of ways.