Posted April 23, 2015
At the beginning of the year, we wrote about how threat intelligence can help organizations comply with the Payment Card Industry Data Security Standards (PCI DSS) version 3.0. The PCI Security Standards Council has just published an updated version, 3.1, which took immediate effect and includes guidance for SSL vulnerabilities, like the ones that led to Heartbleed, that can lead to problems with payment card data security.
Verizon has released its 2015 PCI report, which details how organizations are prepared to withstand attacks and breaches. Here are a few highlights that caught our eye in this report:
- Become Compliant, Stay Compliant.Verizon reports that overall compliance with the PCI DSS requirements was up, but that four out of five organizations failed to sustain their security controls. Maintaining compliance – a difficult task for any company – requires detailed policies, procedures, and testing. One way to stay vigilant is to use threat intelligence gathered from indications and warnings found on document sharing sites to see if any customer data has been leaked or stolen. In many instances, retailers and banks have discovered payment card data breaches and compromises early on by monitoring what data has been offered for sale on underground sites and forums.
- You Cannot Have Complete Control.Data loss prevention (DLP), SIEMs, IDS/IPS, and anti-virus software can’t give your IT teams total control over “the perimeter” the same way they did in the past, because most employees now use mobile and other personally owned devices that IT doesn’t fully control. But there are things you can do. In addition to employee awareness training of how private data may be inadvertently exposed, monitoring rogue mobile applications that use your organization’s good name and looking for indicators of pending attacks or discussions of different methods of bypassing controls can help identify issues sooner rather than later.
- Basic Malware: Software that is intended to damage or disable computers and computer systems. Controls Are Not Enough.While most payment card data breaches are the result of a mix of threat vectors, a number in recent years have been the result of POS malware. Maintaining the minimum malware controls is not enough, because zero-day and social engineering attacks can evade traditional reactive scanners. That is why using proactive tools and methods, such as open source threat intelligence, are so important.
PCI Compliance is the first step in securing cardholder information, but other steps must be taken to ensure that information is secure. Contact us to learn how our solutions can help your organization.