Over the last few weeks, I had the pleasure of attending and presenting at both PCI SSC Community Meetings held in North America and Europe, the premiere conference for everything related to the payment card and financial payment industry. The first live event in two years, leading payment and data security professionals gathered to exchange ideas, explore emerging technologies, and get the latest updates from the PCI SSC on the future of payment and financial systems security standards to improve payment security across the globe.
The conference has become known as the “RSA Conference” or “Black Hat” of everything payments, and topics of discussion are now more than ever relevant to many industries including retail, healthcare, and the financial industries. Key topics that circulated at both events included those emerging payment technologies that ease assessment across the various PCI standards and the challenges businesses and assessors face in implementing recent changes in how systems are audited against the standards – but the main driver for many conversions was the recently released PCI DSS V. 4.0.
The latest release reinforced the commonly held belief that the Data Security Standard (DSS) is a solid, reliable baseline that helps organizations gain a realistic meter on their security posture, especially now that the DSS has moved beyond a checkbox or periodic compliance exercise. Today, the central theme of risk-based prioritization to provide enriched proof of security findings has pushed PCI assessments closer to a continuous practice.
Addressing The Ongoing Prioritization Challenge
As security standards are updated to improve payment data security, the PCI standards need to change how security gaps are identified. As noted in the recent Verizon Payment Security Report for 2022, PCI DSS requirements 6 and 11 (responsible for identifying and ranking vulnerabilities in systems) stand out as the worst-performing key requirements for many organizations.
This ongoing prioritization challenge and how the industry can address it was the central topic of my presentation at both PCI Community events. For instance, the changes in the PCI DSS V. 4.0 (specifically in the new requirement 6.3) can enhance the measurement of risk, allowing businesses to prioritize gaps faster with more accuracy. Additionally, PCI DSS has put in place specific measures to enhance vulnerability prioritization with outside sources, such as threat intelligence, to provide enrichment and metrics to the process of risk ranking security gaps within systems.
How Organizations Can Achieve Continues Risk-Based Prioritization
The introduction of the new PCI DSS 6.3 requirements mixed with intelligence enrichment can enable risk-based prioritization by:
Uncovering gaps and vulnerabilities that attackers exploit: The defined approach backed by material data that help determine the risk that a gap poses to systems, along with proactive threat intelligence, can help identify if a vulnerability poses a critical risk to the environment and needs to be ranked accordingly.
Continuously measuring the real risk of vulnerabilities across the enterprise: The customized approach objectives in requirement 6.3 specify that “new system and software vulnerabilities that may impact the security of account data or the CDE are monitored, cataloged, and risk assessed” and that “this requirement is not achieved by, nor is it the same as, vulnerability scans” – emphasizing continuous assessing and reassessing of vulnerabilities to ensure systems do not fall prey to new and regenerated vulnerabilities. When mixed with updated threat intelligence, organizations can identify and protect themselves from new, critical vulnerabilities and the dreaded negative-zero-day vulnerabilities (cyber-attacks based on an existing vulnerability that has been cataloged but can be re-generated, often when outdated systems lack the patches to protect against the reused attack).
Ensuring the right priority is applied to the right vulnerabilities with measurable enforcement: With a departure from a point-in-time scan and a move towards continuous active monitoring backed by industry sources of intelligence and threat metrics, organizations can now move closer to identifying at any time the real risk of evolving vulnerabilities.
DVE Solution Accelerates Risk Assessment and Ranking
Risk intelligence enables security professionals to analyze information early in the exploit lifecycle so that they have an understanding of the intent, capabilities, and opportunities that adversaries are taking in cyberspace. This type of insight gives payment security professionals a pre-emptive jump on threats so they can defend against a wide range of cyberattacks that are targeting their organizations.
Cybersixgill’s DVE Solution directly aligns with the PCI DSS, providing those in risk-based threat intelligence much-needed help and a sanity check within requirement 6.3. How? DVE Solution aligns vulnerabilities with real threat metrics to discover the risks that any existing or new vulnerability poses to the business. DVE Solution also moves risk ranking into a continuous state by allowing payment security professionals and security assessors the ability to analyze vulnerabilities in real-time and without the need for exhaustive scans and collections. That means they can get a sense of system security gaps at any point in time. As a result, they can accelerate the process of auditing systems against the PCI DSS and speed up the remediation and mitigation time of security issues.
Want to super-charge your risk assessment, accelerate the risk ranking of your vulnerabilities, and gain control efficacy when completing PCI DSS requirement 6.3? Learn more about DVE Solution.