To security professionals, compliance may not be the sexiest subject, but is an important one for a variety of reasons.
Security teams are important stakeholders in governance, risk, and compliance efforts, and, thus, their efforts deserve an appropriate amount of attention within the goals and priorities of the security organization.
Lately, many compliance standards and frameworks have evolved to include requirements that look a lot more like security best practices than mere checkboxes.
The PCI DSS 4.0 standard is a great example of this.
First let's start with a little background: The Payment Card Industry Security Standards Council is a group of credit card industry players that set up and administers the standard.
The current timing gives us a great opportunity to work through a few of the changes in v4.0, particularly as they relate to us as security professionals.
Avoid Malicious Scripts After a spate of attacks and fraud resulting from malicious third-party scripts injected into a variety of legitimate business websites, PCI DSS was updated in 2023 to include two new requirements: 6.4.3: Manage Payment Page Scripts to Prevent Skimming and 11.6.1: Deploy a Mechanism to Detect Skimming.
Requirement 6.4.3 dictates that companies confirm authorization and integrity of all payment page scripts, as well as keep an inventory of all scripts that justify their necessity for payment.
Requirement 11.6.1 says that companies must alert personnel to unauthorized modification to the HTTP header and payment page a consumer's browser gets, on top of configuring a mechanism to evaluate HTTP headers and payment pages as received by consumers and running that evaluation at least weekly.
Protective control: Proactively ensure that no malicious scripts are on payment pages.
Detective control: Monitor scripts on payment pages and alert when malicious scripts are detected.
Aside from being a requirement of the updated standard, these controls are also a good idea and a great way to improve an organization's security posture.
Install and Maintain Network Security Controls The PCI DSS Quick Reference Guide has been updated in parallel with the standard itself.
What it means for businesses, practically speaking, is that they will need to solve for network security needs in hybrid and multicloud environments, most likely by having a distributed cloud strategy.
Robust API security capability to ensure that APIs are properly protected against attacks and fraud.
These are key questions that businesses need to consider as part of PCI compliance, but they are also important as part of their security strategy in general.
Businesses will need to ensure that they have proper logging and monitoring across their hybrid and multicloud environments, and they will need to use that visibility to properly monitor those environments for security, fraud, abuse, and compliance issues.
Security Practices Go Beyond Credit Cards The updates in v4.0 of PCI DSS are good ones.
Besides updating the standard to incorporate the evolving threat landscape and the preponderance of hybrid and multicloud environments, they provide excellent guidance for security teams that are looking to improve their organizations' security posture.
I would argue that what is good for payment card security is good for the overall security of a business.
This Cyber News was published on www.darkreading.com. Publication date: Mon, 11 Mar 2024 20:35:08 +0000