By Dave Waterson, CEO, SentryBay
In the escalating battle against cyberthreats, financial services companies need to think beyond traditional defences. It is now time for enterprises to work closely with solution specialists who are addressing changed work environments if they are to stop being vulnerable to attack now and in the future. There is another imperative too, which for financial organisations is just as important – compliance with regulations and legislation. While this is developed with the best intentions of protecting customers, it has become, all too often, an irritant that seems to cause more difficulties than it solves.
Any organisation of any size that accepts card payments must comply with Payments Council Industry Data Security Standards, commonly known as PCI DSS. These are promoted by leading card brands like Visa, American Express and Mastercard and seek to protect cardholder data and strengthen the adoption of consistent data security measures around the world. The standard outlines an array of technical and operational requirements designed to protect account data provided in an online purchase or other card-based transaction. These – subject to local or regional laws and other requirements – set a minimum standard that applies not only to retailers but to anyone who handles either cardholder data or sensitive authentication data.
Views on PCI
Given the backdrop of the rise in cyberattacks, we were interested to know how security professionals viewed the PCI DSS standards. We carried out a poll on Twitter which found more than half of respondents admitted that their current infrastructure had either failed Payments Council Industry assessments or the company was non-compliant with PCI DSS. In addition, over 50% told us they either believe PCI regulations are unfit for purpose or need adjusting for current hybrid working models, which allow employees to work both at the office, or remotely.
The problem seems to lie in addressing numerous security needs at the same time as the standards, which can be contradictory. Almost a quarter (24%) of the respondents to our poll cited process contradictions in applying the requirements of PCI DSS. This could be caused by incompatible technologies, services and solutions, or even attempting to satisfy the requirements of other regulations. Typically these issues can be exacerbated by staffing or other resourcing problems and nearly one in four of the people answering our poll pinpointed the education of employees and other workers as a major challenge when it came to ensuring PCI DSS compliance.
Onerous security demands in themselves cause critical issues when it comes to achieving and maintaining PCI DSS compliance, according to 22% of respondents. These challenges are not just cybersecurity theatre or a failure to tick a box. While correlation is not causation, some 15% revealed that their organisation in the past year experienced at least one security breach that was most likely caused by mishandling payment card or related information. Another 20% admitted that they do not know if their organisation has experienced such a breach.
Compliance frameworks will help defend against cyberattack
PCI DSS is constantly subject to further review and expansion, so it is essential that enterprises get on top of what it means for them and how they can address it. It will not become less complex, indeed is likely to become more so, and needs addressing with some urgency. However, despite the difficulties that organisations are experiencing, they should understand that compliance frameworks and legislation will help them combat cyberattacks, and by addressing requirements, they will improve their overall cybersecurity posture across all devices, applications, and systems whenever, and wherever, they are used.
Getting on top of the problem
Dealing with this means adopting a multi-layered approach that integrates complementary products and services that can enable organisations to block cyberthreats and proactively address gaps in compliance.
Firstly, it’s important to adopt a zero-trust approach to all endpoints on the network: “Never trust, always verify.” It also means thinking past the old standards of internet security, anti-virus software and securing the wireless network with virtual private networking (VPN). Instead, enterprises should look to deploy dedicated software and solutions that can ‘wrap’ data and applications securely to reduce the threat of cyberattack via keyloggers, screen scrapers and similar malware.
For PCI DSS, following proper security measures for accepting, processing and storing card payments and personal information includes annual and quarterly validation requirements, including several reports by qualified independent experts and an attestation of compliance. The exact standards depend on the merchant category and level of business as described by PCI SCC.
Organisations can begin by auditing their own environments, determining what data is handled and by whom, and how it is processed and stored. The attack surface can be reduced by isolating cardholder data from other parts of the network, which makes compliance easier by reducing the scope of coverage. Once vulnerabilities have been identified, the required paperwork should be completed and sent to stakeholders in the company.
The next step is to address all gaps found in the security posture, with special attention paid to the endpoint environment – endpoints are any device that is used to connect to the corporate network. Organisations should also regularly review, test and assess the assets and tools used to assure compliance and handle payments.
Compliance requirements like penetration testing and vulnerability scans can also help satisfy additional security standards, along with password protection and identification, multifactor authentication, encryption, tokenisation, local and in-cloud automated system backups, email gateway security, endpoint threat detection and response, ransomware protection, monitoring and critical control testing – all of which must be done in conjunction with strong ongoing employee education programmes.
Keeping customer transactions safe from phishing, keylogging, spyware, screen scraping and more can be achieved with solutions built for purpose, which can also block employees from viewing or handling sensitive information. Contact centre agents and remote workers may be using virtualised desktop infrastructure (VDI) to connect to head office, using their own devices via a portal – perhaps regularly processing contracts and payments with another partner company, so this needs to be addressed.
Get the right security solutions
Security professionals should look for scalable solutions that can be quickly deployed, particularly to remote workers. In this industry they should at the very least protect endpoints and devices, however security for commerce applications, or to protect customers when they access an online banking site, or specific assistance with threat intelligence or against ransomware will be equally important.
Good practice must be led by managers and those responsible for security and risk need to engage regularly with other functions in the company, not just compliance stakeholders, but network managers, application owners, business unit managers, and legal teams. This multi-layered approach supports close alignment with the needs of the enterprise and facilitates the continual review and revision that must accompany the understanding of security and regulations as a constantly changing, continuous process.
Further information on how organisations can connect their security strategies with compliance is available here.