Many of the organizations we work with must comply with the Payment Card Industry Data Security Standards (PCI DSS) in some way, shape, or form to help safeguard cardholder information. Since the PCI Security Standards Council recently released a new version, PCI 3.0, which took effect January 1, we thought it was a good time to examine how threat intelligence can factor into your PCI compliance program.
For starters, let’s quickly define what we mean by threat intelligence, since this term is bandied about for a wide range of things that may or may not be “intelligence.” Our definition, which we’ve discussed at length in some of our recent whitepapers and webinars, is that whether data is transformed, distilled, or otherwise turned into usable intelligence by software or human intellect, the output must be relevant, actionable, and valuable to your organization.
With that in mind, let’s take a look at how threat intelligence can be incorporated into PCI compliance. The updated PCI 3.0 standards address requirements such as penetration testing, service provider responsibilities, password and credential management, and malware detection. There are several requirements in which open source threat intelligence can play a role.
For example, one of the standards, 12.10.5, requires organizations to “include alerts from security monitoring systems, including but not limited to intrusion-detection, intrusion-prevention, firewalls, and file-integrity monitoring systems.” The objective of this requirement is to focus on potential risks to data so you can take action to prevent a breach or respond faster if you have one.
Using data from a SIEM, logs, firewalls, and other perimeter monitoring devices and systems is important. However, that data can be enhanced and breaches can be found faster using threat intelligence gathered from indications and warnings found outside the perimeter. Monitoring the open source Internet – especially sites like Pastebin and document sharing sites – can help you discover leaked or confidential documents (or credit card numbers) sooner rather than later.
Breached data is often bought and sold on underground forums, for example, so having an automated tool that searches those places can aid in the discovery of this information. Once the breach is discovered, threat intelligence can also help your security team learn more about the attackers and their motives, and possibly prevent further damage.
Other PCI 3.0 updates include more detailed guidelines for monitoring for evolving malware threats for systems that aren’t commonly affected, controlling physical access to sensitive areas for onsite personnel, and monitoring point of sale devices (POS) for evidence of tampering. In these cases, threat intelligence could help you discover new tactics criminals are using to compromise POS devices or physical facilities, including malware or social engineering.
Although the PCI standards are extensive, complying with them will not necessarily protect your organization from being breached. It’s easy to find examples of this. The large data breaches that hit the headlines last year also hit companies’ bottom lines hard – to the tune of at least $200 million, according to the Wall Street Journal and Huffington Post. While many of the companies affected were certified as being PCI compliant, they were still breached.
In addition to ensuring that security teams keep up with patching and other requirements, employee awareness training of how private data may be exposed can help prevent breaches and leaks. Security teams can also utilize open source threat intelligence to find any gaps in an organization’s security program.
Compliance with PCI DSS standards is the first step in securing cardholder information, but other steps must be taken to ensure that information is secure. Contact us to learn how our solutions can help your organization.