The Payment Card Industry Data Security Standard (PCI-DSS) is a group of guidelines created by several of the large credit card corporations (e.g. Visa and Mastercard) that help organizations protect financial data. Any vendor or merchant that accepts credit card payments on a web application is subject to PCI-DSS standards and must take precautions to protect from data breaches. If an organization fails to follow these guidelines, the company could be subject to severe penalties that vary between $5000 to $10,000 per month. For instance, Target reported $200 million in fines and legal fees after the organization lost millions of credit card numbers to attackers in 2013. These fines could put a smaller company out of business, so they are important to understand and follow. One requirement is an annual scan from an approved vendor application that finds vulnerabilities across all hardware and software. This requirement might seem tedious, but a scan can uncover vulnerabilities and save the organization millions in damages.
The 12 PCI-DSS Requirements
Before understanding what a PCI scan can do, you should first know the 12 PCI-DSS requirements. A PCI scan will look for vulnerabilities based on these requirements. PCI-DSS defines 12 standards that all organizations must follow when storing or transferring customer financial data. The 12 standards can be grouped into the following six categories:
- Create and maintain a secure network. This general requirement lays out guidelines for firewalls and system configurations. A firewall protects the network from unwanted public Internet traffic, but it should also block any traffic from attackers within the network. Most organizations segment financial systems from every other part of the network. In addition to using firewalls, this requirement instructs network administrators to never use hardware vendor default configurations. For instance, most routers have a default admin account so that the equipment can be installed out of the box. Leaving the admin password as the default leaves it vulnerable to attackers as these passwords are available to the public.
- Encryption and storage protection. Private data along with credit card data should be encrypted when stored anywhere, including the database. Any credit card data transmitted across the network or the Internet should also be encrypted. The encryption algorithm used should be the latest cryptographically secured algorithm or the data could be eavesdropped and vulnerable to brute-force attacks.
- Set up maintenance and upgrade procedures. Cybersecurity infrastructure isn’t a “set it and forget it” system. Firmware and software must be upgraded and maintained regularly. Anti-malware software must be updated often to detect the latest attacks. Security systems such as intrusion detection and prevention applications must be maintained so that they can detect suspicious activity even during busy time frames.
- Configure access controls. Access controls create measures that stop unauthorized access to credit card data, but they also audit and log user requests for reading and editing data. Users should be given permissions to data, based on the principle of least privilege. This principle says that employees should only be given access to data that they need to do their job. Authentication gives users permission to the network, and authorization rules determine the data that a particular user can access.
- Monitor and test all cybersecurity systems regularly. Access controls determine the data a user can access, but monitoring systems log information about the user when data is accessed. Monitoring systems with artificial intelligence (AI) make detection of suspicious traffic easier for system administrators. These monitoring systems take a threshold measure of access activity and then alert system administrators when the threshold is exceeded.
- Write cybersecurity policies for users to follow. You can’t expect users to understand the ins and outs of cybersecurity. A written policy provides training and reference material that help users understand what to do should they feel that they are being targeted by attackers. The policies should also explain how to report any issues.
The above top-level guideline categories give you an overall understanding of PCI-DSS guidelines, but each one has more granular requirements as you build an organization’s cybersecurity infrastructure. To build the right infrastructure, you need an expert who understands attackers and the ways defense systems protect from vulnerabilities.
Using a PCI Scan to Detect Vulnerabilities
As an organization grows, manually reviewing systems for vulnerabilities could take weeks. Instead, PCI-DSS provides a list of approved scanners that automate the process. A scanner performs a basic crawl of the network and looks for common vulnerabilities that could easily be missed by human review. PCI-DSS scans should be performed at least once a year, but an organization that deploys changes to software or hardware should run a scan on these systems during the testing phase.
To understand what a scan does, consider an organization that has internal customized software programmers deploy each month. Developers upload upgrades to a test server where quality assurance people perform manual and automated reviews to find bugs. In addition to a quality assurance review, a cybersecurity scan should be performed on the software prior to deploying it to production. A scan will find vulnerabilities such as:
- Misconfigured access controls that allow unauthorized access to data.
- Reflective cross-site scripting (XSS) vulnerabilities. Persistent XSS may need to be manually identified.
- Incorrect headers set on web applications opening numerous vulnerabilities.
- Out-of-date server and web application software. For instance, older jQuery libraries included in an application could leave it vulnerable to common attacks.
- Misconfigured firewall settings allowing unauthorized traffic.
- Unnecessarily opened ports and services on servers, especially public-facing ones on the Internet.
A PCI scan should be run on any system open to external resources, including vendors and customers. Every organization has different resources and configurations, so you should find a scanner that allows the system administrator to customize the way the software scans the system. The system administrator should be able to perform a pinpointed scan on a specific system rather than always scan the entire network. These customizations will allow cybersecurity people the ability to scan upgraded systems as they are deployed on the network.
PCI Scans are Necessary for Compliance
Before any organization begins taking credit card payments, a PCI scan should be done along with a full cybersecurity review of every system, configuration, server, and application. PCI-DSS violations can put a company out of business, so every organization should ensure that their infrastructure follows every guideline.
A PCI scan can find many open vulnerabilities without the need for a manual review. By performing a scan, you stay in compliance with regulatory standards, and you can save your organization potentially millions from an unforeseen vulnerability that could lead to a data breach.