Today, it seems cash is a thing of the past, with most shoppers leaning on credit cards or even mobile payment to complete transactions for both physical and online shopping. With the increase in these forms of payments, retailers are responsible for protecting their customers’ critical data from threat actors lurking around every corner, ready to siphon sensitive personal information. Material breaches, those compromising many records or having a significant impact on business operations, are even up 24.5%, with retailers experiencing the largest number across any industry.
Enter the Payment Card Industry Data Security Standard (PCI DSS): the gold standard of compliance for all businesses that store, transmit and process cardholder data, intended to improve the security of sensitive user data. Much like changing regulations for government agencies, retailers are preparing to navigate the next major update: PCI DSS 4.0.
As threat actors set their sights on retailers who begin their journey to comply with PCI DSS 4.0, retail organizations should remember that compliance is only the beginning of their cybersecurity journey. While PCI DSS 4.0 provides guidance toward a stable foundation of cybersecurity best practices that protect critical customer data from new and emerging threats, retailers should build upon these requirements to move from a reactive to a proactive cybersecurity approach.
Changing Tides of PCI DSS 4.0
Effective in 2024, this evolution of PCI marks the first update since 2018 that helps to address many of the technology and cybersecurity evolutions the retail industry is experiencing. While the update brings many positive changes, one of the most concerning changes, in my opinion, is that requirement 12.3.2 allows organizations to customize their approach to proving compliance with each of the PCI DSS security requirements.
On the surface, this is explained away as an evolution of the existing compensating controls model and it makes sense from this perspective. However, as a former PCI internal security assessor and practitioner at several level 1 merchants, this control is concerning because it puts the onus on the qualified security accessor (QSA) to determine if the merchant’s approach and testing methodology is suitable.
In this blog from the PCI Security Standards Council (SSC), the author states that “the customized approach is most successful when the entity has robust security processes and strong risk management practices and is able to effectively design, document, test, and maintain security controls to meet that objective.” However, in my experience, QSA quality varies greatly and is comprised often of a team of junior analysts being led by a senior analyst with backup by a QA team.
This approach is effective when the controls are prescriptive, but as more complex controls are enabled to be implemented and audited via this method, the ability to properly understand and evaluate the custom approach requires senior resources. With the current shortage of expertise in the field, particularly in payment infrastructure and technology, I foresee this gap increasing the time needed to certify a report on compliance, and this potential needs to be factored into the QSA schedule and merchant expectations on timing.
Bruce Schneier once said in an interview that “complexity is the worst enemy of security.” I fear that this allowance for customized approaches will increase the intricacies of a security solution and that a lack of deep domain understanding of the elements of the solution will inadvertently introduce more security holes that aren’t covered by PCI DSS controls, because of the inability to properly test efficacy against the original requirements as set forth in the DSS.
Retail organizations seeking to take this customizable direction should consider the growing opportunities it presents to threat actors looking to exploit those non-standard routes. Additionally, the long lead time to implement these regulations gives attackers a window to use the framework as a blueprint to breach retailers before they have time to implement changes to their cybersecurity strategy.
Balancing Compliance and Security
While many retailers are looking to check the box for compliance, they must remember to look past the standards in PCI DSS 4.0 to create an approach to cybersecurity that protects their critical assets. A proactive approach to cybersecurity strategies consists of regularly assessing risk probabilities and impacts, incorporating cybersecurity into enterprise-wide risk management and working with business leaders to mitigate risks.
While taking on a proactive cybersecurity approach may seem daunting, retailers should prioritize a few essential aspects to develop a holistic strategy:
- Risk scoring and quantification: Risk scoring provides an objective measurement for evaluating security posture that considers a wide range of risk factors. By converting data-driven metrics and threat intelligence into an easy-to-grasp representation of actual cyber risk, organizations can better understand how safe their assets are and identify security weaknesses with the greatest potential financial impact. Armed with this understanding, they can better control the scope of their risk assessments mandated in requirement 12.
- Vulnerability prioritization: To truly understand cyber risk and prevent breaches, advanced vulnerability prioritization automatically considers threat intelligence, asset context and attack path analysis. This enables smarter and more precise remediation strategies in comparison to just considering CVSS severity. Organizations with complex environments and limited resources can target their effort where it matters by prioritizing vulnerabilities that pose the greatest risk. Prioritization is required by 6.3 and including attack path analysis can help reduce overall scope of the cardholder data environment (CDE).
- Exposure analysis: An exposure is an exploitable vulnerability that a threat actor can access and compromise. Exposure analysis identifies exploitable vulnerabilities and correlates them with an organization’s unique network and security controls to calculate high-risk assets exposed to threat actors. Without exposure analysis, organizations can waste a great deal of time and resources chasing vulnerabilities unlikely to lead to a breach. Understanding network access is a core tenet of the DSS and is key to accurately scope the CDE and avoid wasted audit resources due to the inability to adequately demonstrate segmentation. Exposure analysis is a key capability to prove said segmentation and reduce scope.
By adopting a proactive approach to cybersecurity alongside the latest updates to PCI DSS, retailers will be armed with the proper tools to protect their most critical assets: customer data. These strategies allow retail organizations to build modern cybersecurity programs that defend against the increasing threats the industry faces today, like increasing ransomware and phishing attacks that can result in data breaches.
Terry Olaes is Director of North America systems engineering at Skybox Security. With more than 20 years of experience in IT, his expertise includes IT/OT convergence, audit and compliance, data breaches and incident management. Working on the ground floor at a manufacturing plant, serving as a systems engineer and managing large security teams have provided Olaes with a unique perspective on fortifying IT/OT security posture. He specializes in helping organizations devise the right cybersecurity strategies to help manage vulnerabilities and mitigate risks across IT, OT, and hybrid cloud environments.