Reimagining Cyber - real world perspectives on cybersecurity

Navigating PCI DSS 4.0 - Ep 90

Reimagining Cyber Season 1 Episode 90

Join hosts Stan Wisseman and Rob Aragao as they explore the evolution of payment card security standards. With insights on PCI DSS 4.0, they dive into key changes and technology considerations. From data protection to application security, this episode offers crucial insights for organizations navigating compliance in an ever-evolving landscape.


Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com

[00:00:00] Stan Wisseman: Welcome everyone to another episode of re imagining cyber. I'm Stan Wissman. I'm joined by, with,

[00:00:09] I'm joined by my, I'm joined with my, my co host is with me. How's that? 

[00:00:15] Rob Aragao: Hold on. Are you ready? Take 33. Go. 

[00:00:19] Stan Wisseman: Just the beginning. Welcome, everyone, to another episode of Reimagining Cyber. I'm Stan Wissman, and as always, I'm joined by my co host, Rob Arrigo. In today's episode, we're going to dive into the evolution of the payment card industry data security standard, more commonly known as PCI DSS, and specifically the launch of PCI DSS 4.

[00:00:43] 0. So, with the March 31st, 2024 deadline just around the corner, organizations are in that final stretch of transitioning from PCI DSS. Version 3. 2. 1 to the more robust PCI DSS 4. [00:01:00] 0. Are you ready for, for this, Rob? Are you ready to dive into payment security? I've got 

[00:01:05] Rob Aragao: all the credit cards laid out in front of me.

[00:01:06] I'm good to go. 

[00:01:08] Stan Wisseman: Let's kick off with a little context, a little history around the standard. And, and why it was needed. So, you know, I am old enough to remember before the DSS existed. And it was created back in 2004. Consumers and merchants alike were plagued at that time by fragmented payment systems.

[00:01:29] And it was a constant headache for everybody. And a source of risk especially with one credit card company's Policies violated another's or mandated different security controls or simply they just weren't, you know, following guidelines as early as they, they should have been on the merchant side, especially, right?

[00:01:48] So, when the security standards council of PCI, the PCI SSC fully formed and released compliance guidelines for the industry, merchants of all [00:02:00] sizes literally had to you know, redo everything they did. And, and they, but at least they had a. A common baseline of protecting payment account data throughout the life cycle of the payment ecosystem.

[00:02:17] And that was good news. Right? And so that original standard 1. 0 was released in 2004, as I said, and has had several major overhauls since then. And the current version again is 3. 2. 1. So, you know, again, the standard has. Had a pivotal role in safeguarding payment data. And let's face it, Rob, I mean, we are, you know, more than ever relying on that system, that ecosystem, right?

[00:02:46] I mean, merchants and service providers and financial institutions, they all are using this more and more. Frequently, and that foundation is to protect against, you know, breaches and ensuring [00:03:00] that, you know, consumers have confidence that their data is going to be protected during transactions. I do want to point out, though, that you know, as we pointed out many times on this podcast, achieving PCI DSS compliance alone doesn't fully protect against breaches.

[00:03:17] I mean, organizations need to implement. You know, risk based security measures that exceed baseline compliance standards like this 1, right? So, while the evolution of PCI continues and it raises the bar each time in and of itself, compliance is not equated to security. But, you know, now that we're in, you know, looking at the implementation of this the standard, I mean, again, in 2022 is when the.

[00:03:44] 4. 0 was published and the whole idea is to keep pace with the advances of technology and, and, and the threat environment. It's now reaching a point where at the end of this month until next year, March [00:04:00] 31st, 2025 you know, these specific new requirements in version 4 are going to shift from best practices to being required.

[00:04:09] And so, Rob, can you get into some of these key changes and. the standard and, and highlight, you know, what impact that might have on folks. For 

[00:04:19] Rob Aragao: sure. So I think it's, it's I mean, think about that, right? It's 20 years now, it's been out there. And so yeah, it's continued to evolve. I think, you know, some may say that we'd like it to have evolved faster than what it has, but you know, there's some really good changes that have come with 4.

[00:04:35] 0. So, so the first one, it's kind of an interesting thing. And I think, I guess the main theme I would just say to take away is. A very key word to think about is continuous, right? So continuous assessment, continuously, you know, reviewing really what's in place, which is important because we've always talked about that when a you know, a QSA in this case comes in to do an assessment, if it's once a year or twice a year or quarterly, that's that point in time.[00:05:00] 

[00:05:00] So again, things that they've done, right? So, so first is there's this new customized approach that they've actually implemented in in for that out, which is great because it's really driving more so around what the outcomes are desired by their organization as it relates to the security objectives that they're trying to meet within PCI and so.

[00:05:17] You know, that gives them some flexibility, you know, the organization, some flexibility and being able to apply the security control mechanisms still, obviously, in alignment with the digital doesn't otherwise known as B. C. I. D. S. S. But the key is that they may, as an organization, have some security control mechanisms in place that may actually be effective.

[00:05:36] Adhere to what P. S. P. C. I. S. Calling out. So it gives them that flexibility to decide what technology sets they want to put in place. Some different types of implementations they desire to put it in place with. But at the end of the day, that is that that organization that decides to take that customized approach is still going to be obviously measured.

[00:05:55] In alignment with what the QSA is coming in to validate the [00:06:00] controls truly do meet the documentation is in place The risk analysis has been reviewed and has been approved So that's one of the key areas is if you desire to take more of this customized approach understand that you have some flexibility But of course the end of the day you still have to validate all the control mechanisms Are there in place to meet the full stack of PCI DSS requirements?

[00:06:18] The other thing that they Emphasized is stronger authentication methods, a little bit more aligned with what we're seeing from NIST. And so, you know, the need to now review access privileges at least twice a year. The, the desire to push stronger MFA capabilities into the organizations and make sure that they're truly using it again.

[00:06:38] That's a common theme we've seen in many different discussions. We've had Stan improve password hygiene, right? So better password complexity put in place as well as the insurance of actually changing the passwords at least once a year, I mean more frequently, but that's all they're asking for at this point, once a year third parties.

[00:06:55] And the type of relationship they have, well, you need to ensure that you're obviously [00:07:00] continuously monitoring what the third party concerts are doing right. And are they properly in place for what the need is, or has that kind of been expired? Let's get rid of those things. The other thing that actually is tied in here that kind of kind of went underneath the radar a little bit is around data protection.

[00:07:18] Right. So, so historically, PCI has looked at protecting data from a disk level encryption specifically. That's no longer allowed. You go to 4. 0. You actually have to be doing encryption throughout the entire life cycle of the data. So not just again at rest, but in use and in motion. So I think that's a big, big call out.

[00:07:35] The other couple of items are around phishing, again, major attack vector. So ensuring that you have the right mechanisms in place to do detection and also protection against phishing. And then the last one I'll call out is Again, this, this movement from a manual process to continuous process. So moving from manual review of logs to actually automated them into a technology set that allows you to [00:08:00] identify security incidents and quickly be able to react to them.

[00:08:03] So again, another area of, of much needed change that's been actually pulled forward as part of their requirements in 4. 0. 

[00:08:10] Stan Wisseman: Hey, Rob, you use an acronym that our listeners may not be familiar with unless they're in this process itself, but what does QSA mean? 

[00:08:17] Rob Aragao: Yes, qualified security assessor. 

[00:08:20] Stan Wisseman: I do think that role may be more difficult with that whole customized approach.

[00:08:24] But I, I do want to highlight another area of significant change in 4. 0, and that's a greater emphasis on application security than. That was had in the previous versions, and that that's near and dear to my heart. As, you know, I'm really focus a lot on application security and that I'm glad to see these changes.

[00:08:42] Specifically, the standard requires more testing of public facing applications related to payment processing or other activities considered in scope. which is important terminology for PCI systems, right? But generally, any system that touches [00:09:00] un tokenized payment card data is in scope for PCI DSS compliance.

[00:09:05] And, and, and whether or not a system or function is, is public facing, it doesn't really matter. Because as you pointed out, it's end to end and trying to protect that data. So, right. To prevent Vulnerabilities and other errors from being deployed, you know, they really are emphasizing now that developers will have to continually test in scope applications during the SDLC using both static and dynamic application security testing tools.

[00:09:30] So that's great. You know, it's implied in requirement 6. 2. 1 that, you know, mandates Bestowed software, custom software and developed software have to be done securely and incorporate consideration of information security issues during each stage of the SDL or software development lifecycle. But it's very explicit in requirements 6.

[00:09:56] 2, 3, which clearly states that code [00:10:00] reviews must be carried out on again, this bestowed custom software prior to being released into production or to customers. So that that calls it out pretty specifically. They want to ensure that the code is being reviewed. You know, likewise, another thing has really been highlighted in this release is around APIs or application programming interfaces and the security of them again, emphasizing that you have to scan.

[00:10:24] APIs for vulnerabilities, and they even recommend doing. Penetration testing and the optimal testing framework that they cite is the last top 10 a list of applications and, and, you know, it cites it several times in the standard and that's all well and good. I would point out that, our listeners should not just look at a last top 10.

[00:10:45] That is a good starting point. It's not necessarily comprehensive of all critical application vulnerabilities that need to be aware of or need to address. And so taking together, you know, these requirements spell out that, you know, payment pages and web applications [00:11:00] must be verified and thoroughly security tested.

[00:11:02] So that's really, I think, an important change. So, as we're looking at this, we refer to the timeline a couple of times as far as the, you know, the, the, what we're looking at in this next year, can you go through sort of like the, the more general review of the timeline? 

[00:11:19] Rob Aragao: Yeah, let's dive a little bit deeper into that.

[00:11:21] So, you know, you shared at the beginning, it was in March now, 2022, when basically they came out with the 4. 0 standard and said, this is what we're moving forward with. So it was published at that point in time. I mean, you've had two years in essence to start really going through that and thinking about what you're going to have to put in place that are some different, some gaps, if you will, versus 3.

[00:11:39] 2. 1. And so, you know, we've kind of outlined some of the differences already. When you think about where you at today, so March 31st, as you said, Stan of 2024, the expectation is, Hey, listen, we're completely getting ready to cut you over to 4. 0. You will have though a one year buffer in essence to April 1st of 2025 to when the [00:12:00] penalties, think of it this way, penalties will start coming down on you.

[00:12:02] Because you're not in compliance. So what do you do over the course of the next year, right? You've very likely in this space already been going through, as I said, identifying some of the areas that you need to make some modifications on you know, make some adjustments to those things, some new investments potentially.

[00:12:16] But you know, one of the things that you should really be taking into consideration is as you're going through this, in essence, roughly a year time frame kind of buffer to work through, get through the practice. Verify these elements are all in place, do your own self assessing, but then also pull in your QSA, right, pull in the QSA because they will come in and do these pre assessments.

[00:12:37] They've historically done that. You mentioned Stan, especially when we talk about if you've, if you decide to take that customized option, you definitely want to be able to ensure that the QSA is well aware of what that is. They might have to do some additional research in there because they're gonna have to vet this out to say, yes, it actually does meet still that particular requirement within PCI or these particular requirements that you [00:13:00] are customizing, if you will around.

[00:13:02] So I think the key is, you know, you understand your timeline is, is now. If you haven't already started, to get moving, verify, review what you have, understand what the differences are that you have to effectively make some adjustments for, but also do that in a timeline that allows you to actually have a QSA come in and do a pre assessment to identify things that maybe aren't quite where they need to be, or that may be your interpretation of kind of taking this customized path Isn't quite there yet either.

[00:13:30] And there's some additional changes you need to make to get to that point when the true assessment comes through. Because again, the last thing you need is to be dinged. And then penalizing and paying the fees associated 

[00:13:40] Stan Wisseman: to that. Right. And speaking of compliance, I mean, I, I think folks recognize, but if you, if you don't, you know, the, the PCI DSS actually applies to a wide range of organizations from small merchants, all the way to large financial institutions, anybody who handles cardholder information at any capacity [00:14:00] is, is impacted by the standard, right?

[00:14:02] But one of the things that may not be clear to folks is that in this version, they've, they've. Address the gap, which is around cloud computing. So the standard covers a wide range of cloud security topics, including, you know, cloud security architecture, cloud security operations monitoring, you know, it requires organizations to implement you know security controls such as encryption, authentication and access controls in that cloud context to ensure that, you know, if you're consuming cloud services, you're meeting the requirements to safeguard that information.

[00:14:37] Adequately, right? So that's that's something that I wanted to highlight because sometimes you may think that's out of scope because you've off boarded it from your environment on prim. You're leveraging cloud services also for processors of payment information. Again, if you haven't already done so, and you're leveraging a payment processing organization, make sure that you understand those shared responsibilities between [00:15:00] them and you in this new standard.

[00:15:02] I mean, the real world consequences is. Of noncompliance is I think the poster child for that really is probably Equifax, right? When they, when they had that incident, I think the penalty was close to like 425 million dollars. So that's a, that's a real wake up call of how bad it could be if you're, if you're proven to be noncompliant.

[00:15:23] So again. You know, meeting these kind of obligations or these kind of getting ready to meet them as we get to that April 1st 2025 deadline is essential. And because you want to have continuous operations of your business and not have to worry about any kind of problems with your partners or trust you have with your consumers, right?

[00:15:46] And how you're handling their data. Absolutely. 

[00:15:50] Rob Aragao: Absolutely. Let's, let's delve a little bit into also, you know, we talked about what the changes are. Stan. You touched upon some different areas as well. You talked about application security. So let's just [00:16:00] talk about some maybe kind of technologies to consider as you go through the changes and some of the evolution here in 4.

[00:16:06] 0. So the first I'll start with is around the data side of it, the data protection side of it. So again, you have to pivot now from the data at rest protection only. To also being able to have visibility and complete protection, no matter where the data is again in use right in motion as well as at rest.

[00:16:24] So you need to think about what your data protection strategy is. And if you're not doing something that follows that life cycle, holistically, you need to start pivoting in that direction. I would think I would hope by now. The audience that would be listening to this, that is, you know, that the PCI is applicable to has MFA in place, right?

[00:16:41] MFA is a core principle kind of security hygiene foundational stuff. Yes. Multi factor authentication. So multiple factors of authenticating into an environment and application, if you will. You discussed application security. So that's again, a core [00:17:00] area of call out. So what's your comprehensive application security program?

[00:17:04] What type of testing are you doing? Are you reviewing the different software components? Are you able to go through and identify vulnerabilities with the prompt remediation capability in place? Right? Are you, they're calling this out. Are you actually educating your developers to QR code training? So not just educating, but proving that you're doing that.

[00:17:23] And it has to be done at least once a year. That's actually called out. In PCI 4. 0. So again, great advancements in my opinion, also on that side around application security on how you properly protect data on different authentication schemes that you have to take into consideration. So just really leveling up and catching up in some cases, but leveling up what you have to do in many cases for better protection of that, that card information.

[00:17:45] Stan Wisseman: Yeah. And another thing that they, they point out is really the around vulnerability management and the remediation. They don't give a specific timeline as to when you have to remediate a vulnerability, but the whole idea is you're actively monitoring [00:18:00] and, and, and I think the point is that they don't want to have a, a lingering backlog.

[00:18:05] Of, you know, any kind of level, much less, you know, certainly the highs or criticals, but even moderate or low vulnerabilities, they don't want to have a bunch of lingering vulnerabilities. So you have to have a very you have to have a process to remediate in a timely manner which is great. So, I mean, in summary, Rob, I think 4.

[00:18:25] 0 has been a journey. We're in the middle of that journey still, but we're getting closer to being real. I think, It reflects another jump in trying to put in place controls to mitigate threats in today's landscape that have You know, and honestly, they're, they're trying to future proof it a bit.

[00:18:45] I mean, they, they, they're, they're putting in place controls, I think, to anticipate some of the threats that we're, we're seeing in the future too. It is going to be, I think, challenging for all sides, including those that are doing the, the role of QSA to, to be able to [00:19:00] handle. This new customization.

[00:19:03] Approach right. I do think that the the freedom of doing that is going to be appreciated, but at the same time, it's going to be more difficult to actually determine whether there's compliance. And so the more interpretation and more of that kind of compromise or. Discussion going on between the parties but I do think it's a, you know, it is a mindset change as far as how we actually are trying to go and be more proactive as opposed to reactive and putting place the security measures that we need to help ensure that we again continue to have confidence.

[00:19:37] In our, our, our way in which we're transacting business, you know, more frequently, I don't know about you, but I don't carry cash in my wallet. You know, I'm dependent on being able to use this. And many times folks are now using their apps on their phone to, I mean, we, we just, as far as consumers we're, we're, we're dependent on this, this process.

[00:19:58] And we know there [00:20:00] are gaps and, and we want to make sure that the controls are in place that we continue to have that confidence and have fewer gaps. 

[00:20:07] Rob Aragao: Yeah, absolutely. And I think I just want to add one more thing to what you, you discussed, which is if you think about the timeline, I think, you know, the reality is that there's been this, this build up to where we are literally end of March for the QSAC.

[00:20:21] Be trained, retrained, recertified, right. In preparation for this with a lot of the caveats coming in as it relates to the customized approach. Now, the reality is behind the customized approach, what they're trying to, what PCI counsel is trying to drive out of that is lessons learned. Teach us. Right. So it's, it's a way to kind of, you know, decide to say, Hey, we want you to be more innovative and share with us your approaches.

[00:20:46] We may come back and say, Hey, no, that's not good enough. And you're not going to get the pass on that particular requirement. Or we're going to say, Hey, that's actually much better than we've been thinking about, and we might want to take an element of that and apply it to, you know, some addendum or the next version of PCI.

[00:20:58] So I think it's a great, you know, way of kind of [00:21:00] trying to balance that out a little bit. So we'll see where it goes, but looking forward to see how it evolves this course of a year or so from now. When people will start getting reality struck with April 1st, 2025, right 

[00:21:10] Stan Wisseman: around April Fool's day. And what, what a, what a great day to have a standard go into effect, you know, anyway, and until next time, Rob, until next time, Stan, thank you.[00:22:00] 

 

People on this episode