)
If you’re a merchant of any size, you’re likely well aware of the impending changes to the Payment Card Industry Data Security Standard (PCI DSS). Beginning March 31, 2024, the existing standard, PCI DSS 3.2.1, will be retired and replaced by PCI DSS 4.0 – a standard that reflects significant changes in technology, particularly cybersecurity, in the past few years.
New regulations with major changes, of course, aren’t generally embraced with open arms by most, especially when your workload is already heavy. But PCI DSS 4.0 didn’t emerge in a vacuum: Cyberthreats are more pervasive and fast-moving than ever. Additionally, the infrastructure used by today’s retail industry has expanded and provided more avenues of attack for cybercriminals. Even if the regulations hadn’t changed, the principles embodied in PCI DSS 4.0 are ones that informed retailers and their partners should embrace to protect their customers and their organizations.
I recently led a discussion (now available as an on-demand webinar) looking closely at how the upcoming changes affect retailers and related industries and offered some guidance on how to implement the new requirements without feeling overwhelmed. The webinar content is summarized below.
How the world has changed since the last PCI DSS standards
The security standards that are being retired were first devised in 2016, a year when identified common vulnerabilities and exposures totaled 6,447. That number has grown drastically, reaching more than 25,000 CVEs in 2022 and nearly 30,000 in 2023. Not only have the numbers grown but the methods for finding openings in security systems have evolved as well. Indeed, threat actors now employ tools and techniques that didn’t exist in 2016, such as user-friendly artificial intelligence and machine learning applications that take advantage of generative AI large language models to deceive their intended victims.
Most importantly for retailers, Covid-19 brought drastic changes in how they conducted transactions. They frequently turned to new online platforms to maintain sales and teamed up with new business partners for a range of operational activities. These additions greatly expanded their digital footprint, their threat surface, and the potential for compromised security.
Once the pandemic subsumed and shoppers started buying in stores again, many retailers found themselves continuing to rely on outdated POS equipment powered by operating systems no longer supported by the companies that created them. But due to high replacement costs – especially for large retailers – they had little choice but to continue using their ever-more-vulnerable equipment.
Two key changes: Customized assessments of controls and dynamic threat monitoring
PCI DSS 4.0 includes a sweeping set of changes in processes, roles and responsibilities, and technical standards. Among them are two notable elements:
Retailers and others covered by the PCI DSS can use customized controls of their own devising to assess their security controls and meet compliance -- a concession to the new mix of tools and platforms that have become part of the sales and fulfillment process. At the same time, retailers must demonstrate that their tailored assessment controls adequately test the efficacy of those security controls.
Enterprises’ security postures must be evaluated continuously, not just periodically. That is, organizations must constantly and proactively identify gaps and vulnerabilities in their digital footprints. Given the bump in volume and intensity of cybercrime since 2016, it’s evident that the infrequent scans of the past – once every quarter or even every month – are far from adequate in today’s environment.
In other words, 1) you’ll need to be able to prove your controls are working, no matter how much your infrastructure has expanded, and 2) you’ll need to be constantly checking for potential problems. How to implement PCI DSS 4.0 without losing your head
While the frenetic activities of threat actors and the more demanding requirements of PCI DSS 4.0 may seem daunting, there’s a rational, manageable way to fight off the attackers and comply with the regulations. To do so, you need to move from a reactive mode to a proactive one in both your cybersecurity methods and tools. The key is not only to be able to track all the potential threats to your environment but also to have a context for understanding which ones are really dangerous and which ones can safely be ignored (at least at the moment).
Cybersixgill not only captures data about cybercriminal activities from across the globe but also helps customers assess which vulnerabilities are significant so they can prioritize their responses. For example, we recently used our automated processes to evaluate the risk level of roughly 20,000 CVEs as identified by the Common Vulnerability Scoring System. Our review showed that of those, 1,480 were actually feasible as exploitable vulnerabilities and could be successfully used by cybercriminals to meet their goals. Even so, only 330 of those CVEs actually had been exploited by cybercriminals against their intended targets.
While that is still a significant number, it is far more manageable than 20,000 or even 1,500 when you realize that many of them would not be pertinent to your organization. Cybersixgill’s tools are designed so customers can tailor the information they receive to their industry and infrastructure and then prioritize threats based on their potential for harm for each unique customer.
Another important criterion that the national set of CVEs doesn’t always capture is their changing risk levels. Older CVEs in particular can have low threat-level assessments because they haven’t been exploited for a while, but cybercriminals may decide to resurrect a vulnerability and take advantage of lax protection efforts by their targets. This is why the continuous monitoring requirements of PCI DSS 4.0 are logical and needed. Cybersixgill aids these efforts by creating its own ever-changing vulnerability risk scores for CVEs in response to changing cybercriminal activity.
In addition, Cybersixgill’s tools have been designed to integrate with existing security stacks so information can be acted upon readily. Many security teams feel beleaguered not just by threat activity levels, but the complexity of the tool sets they’re using to defend themselves. Cybersixgill has created an extensive set of APIs to link our products with all the leading cybersecurity vendors.
To sum up, Cybersixgill has carefully evaluated PCI DSS 4.0 in all its complexity and expectations. We’ve developed products and a framework to help retailers and their associated partners comply with these new regulations and keep their customers and organizations protected without overburdening security teams.
Once you’ve watched our on-demand webinar, learn more about Cybersixgill’s tools and processes by signing up for a demo. Or just contact us directly to see how we can help you and your organization meet your unique challenges.
)
)
)
)