How to Improve on PCI Compliance Gaps

Payment Card Industry Data Security Standard (PCI DSS) has long been the go-to standard for organizations that handle all data related to payment cards. Payment Card Industry (PCI) compliance is mandatory, but achieving compliance is not always a straightforward process.

For example, compliance is a challenge when you are operating in a hybrid cloud environment. There are many security gaps to fill before you can reach the appropriate compliance level as defined by Visa. Thankfully, the PCI Security Standards Council has released PCI DSS Cloud Computing Guidelines to make filling security gaps easier.

Importantly, the upcoming version 4.0 of the PCI DSS is set to be released in the late 2020s. It will introduce a number of new requirements, as well as a new approach to validating compliance. These do have the potential to further widen compliance gaps for organizations initially, which is why taking steps, sooner rather than later, to prepare for the PCI DSS v4.0 is a must.

You may also like: What Is PCI DSS and Why Does it Matter?

The Fundamental Requirements

Emma Sutcliffe, the Council’s Global Head of Standards, confirmed that the fundamental 12 requirements will remain the same — even in the new 4.0 version. A firewall will still be the first layer of security added to protect cardholder data. The firewall needs to be configured so that access to critical data is limited.

Default passwords and security parameters must also be changed. This is a basic requirement that receives a lot of attention, mainly because several cases of information theft have occurred because of the use of default configurations and passwords.

Stored cardholder data must be fully protected using strong encryption. At the same time, the encryption of transmitted cardholder data is also mandatory. Encryption of transmitted data is even more important when public networks are used.

Up-to-date antivirus software is the next requirement to meet. Again, this may seem basic, but it is a fundamental element that often gets neglected as a security measure. As an added layer, secure systems and applications are also required.

The PCI DSS requirements then address the issue of access control and data management. Access to cardholder data is limited on a need-to-know basis. Unique access IDs are also mandatory, mainly for logging and access management purposes.

PCI DSS also governs how physical access to both terminals and data must be limited. All access must be monitored and logged; on a larger scale, all network activities must be tracked and monitored as well.

To complete the set, PCI DSS requires regular security tests and process reviews. A set of policies that specifically address security issues needs to be put in place before an organization can fully comply with PCI DSS based on these requirements.

These requirements, as explained by the Council, remain fairly unchanged. PCI DSS v4.0 introduces a set of new requirements to adjust the security standard to the growing risks to payment data. It primarily shifts the focus on compliance to seeing security as a continuous process.

PCI Compliance and DevOps

As mentioned before, complying with PCI DSS can be more challenging when you factor in external elements. Each organization handles its ecosystems differently, and meeting the fundamental requirements is not always easy.

For organizations that still incorporate waterfall deployment as a development method — with one iteration every 6 to 12 months — compliance with the PCI standards is straightforward. A thorough security review is usually conducted at the end of the development process to maintain maximum account data protection. In an agile environment, however, this becomes a serious challenge.

DevOps need to take security into consideration. In fact, the entire development cycle needs to also focus on security, with security reviews being conducted every step of the way. To make cycles less challenging, it is necessary to define security standards that cover everything from how codes need to be written to how the production server must be configured.

Integrating security into the development and deployment workflows allows PCI security compliance to become an inseparable part of the process. When a new update is tested, you are also testing it against the security policies added to the development guideline.

As mentioned in PCI DSS Requirement 6.1, it is necessary to “Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high”, “medium”, or “low”) to newly discovered security vulnerabilities.”

Tools and Resources

Involving auditors and third-party service providers is often seen as a good way to solve this challenge. Methodologies like Agile and MVP shortens the development cycle by sacrificing a number of things, security being one of them. This is where having a fresh pair of eyes — or a few of them — and the right resources really help.

Compliance audits and assessments are provided by service providers, such as VisionPath. For organizations that incorporate Agile and DevOps, however, regular audits alone are not enough. Compliance as Code (CAC) needs to be a part of the process. Fortunately, CAC is supported natively by most cloud environments, including Google Cloud Platform and Amazon Web Services.

AWS WAF Security Automations helps automate the process. There are also additional tools, such as AWS CloudFormation and AWS OpsWorks to further simplify the issue. AWS CodePipeline and AWS CodeStart, along with other tools provided by Amazon, guards the development process. Amazon CloudWatch, AWS Web Application Firewall, and Amazon GuardDuty, on the other hand, all focus on securing the cloud environment.

There are even ways to automate the integration of PCI rules into AWS Config. AMIs that are already PCI-compliant are just as easy to deploy. DevSecOps becomes more of a shift in mindset rather than a big obstacle. With the upcoming release of PCI DSS v4.0, these tools and resources are invaluable in achieving and maintaining PCI compliance on AWS.

Further Reading

• Simplifying Application Security and Compliance with the OWASP Top 10.
• Cloud Security: What Every Tech Leader Needs to Know.
• Using Logs for Security and Compliance: Part 1.