The shopping season is here again! This is an exciting time for shoppers and retailers. The 2022 Black Friday sales saw an increase in spending by 2.3% compared to 2021. And it is estimated to grow in 2023.
Cyber attackers find an opportunity with the growing digital transactions. It is not new that payment card scams (targeting online shoppers, POS operators, merchants, and service providers) surge during the season.
The loss of payment data doesn’t only affect individuals; It is bad news for organizations, too.
According to Nilson’s Report, global card data theft losses exceeded $32 billion in 2021 and are estimated to reach $49.32 billion by 2030. Cyber attackers are now using sophisticated techniques to steal payment information. A few notable examples include:
Skimming: Attaching a small electronic device to ATMs to capture the data stored on the magnetic stripe of a credit or debit card.
Phishing: Using fraudulent links to trick individuals into providing their payment card information.
Malware Injection: Infecting a POS terminal or an ATM, allowing the attacker to capture card details entered by end users.
To avoid data loss, reputational damage, and penalties, now is the right time to implement security controls that protect card data. In this regard, Payment Card Information Data Security Standards (PCI DSS) has been the saviour for entities that store, process and(or) transmit payment information.
PCI DSS: The Background and Applicability
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security controls designed to protect payment card information from fraud and unauthorised access. Payment Card Industry Security Standards Council (PCI SSC) developed the standard.
The PCI DSS compliance applies to any business that accepts payment cards, including merchants, service providers, and payment processors. Compliance with the standard is required by payment card brands and is essential for protecting against card data scams, avoiding penalties and reputational damage, and building trust with customers.
PCI Compliance Controls
PCI DSS 4.0 is the latest version released by PCI SSC. Let us look at the 12 PCI DSS compliance requirements of v4.0.
Access controls are a critical aspect of the Payment Card Industry standard, as can be gauged from certain “PCI DSS 4.0 requirements” (#7, #8 and #10, among others). This is where a Privileged Access Management (PAM) solution comes into the picture.
The Capabilities of Privileged Access Management
Privileged Access Management (PAM), a crucial aspect of cybersecurity, is designed to protect enterprise user access against internal and external threats. Several key components contribute to the effectiveness of a PAM solution, including:
- Secure storage and management of privileged credentials with robust password rotation, encryption and strict access controls to reduce the risk of credential compromise.
- Multi-factor authentication (MFA) is an extra layer of security requiring users to provide multiple forms of identification to access privileged accounts.
- Just-in-Time (JIT) access temporarily elevates privileges for specific tasks or timeframes.
- The Principle of Least Privilege (POLP) dictates that users should only have the minimum privileges necessary to carry out their tasks effectively.
- Role-Based Access Control (RBAC) helps manage user access based on job responsibilities and the Principle of Least Privilege (POLP).
- Privileged session monitoring and recording enables real-time visibility into privileged user actions, ensuring accountability and facilitating incident response.
- Privileged Account Analytics (PAA) involves analysing privileged account activity to detect anomalies, identify potential security risks, and provide insights into privileged user behaviour.
Addressing PCI DSS Requirements with PAM for Robust Data Security
The “business need-to-know” control mentioned in “PCI DSS 4.0 requirement #7” mandates that organisations restrict access to system components and cardholder data to only those individuals who have a legitimate business need to access it.
An ideal PAM with an in-built Just-in-Time Access module enables users to access systems and applications as long as needed. Instead of having permanent access rights, they users request access when required. These requests are subject to approval and verification, ensuring the access is legitimate and aligned with business needs. This process helps prevent unauthorised access attempts and limits the potential damage caused by compromised credentials.
Requirement #8 of PCI DSS 4.0 states to identify users and authenticate access to system components.
One of the primary and most powerful features of a Privileged Access Management solution is its capability to authenticate users with Multi-Factor Authentication (MFA). This helps prevent unauthorised access to critical payment information.
PCI DSS 4.0 requirement #10 states that one must track and monitor all system components and cardholder data access.
A robust PAM facilitates governing user activities during every session to secure organisational resources from unwanted access. It records event logs for different types of sessions in video and command/text format, helping organisations detect anomalies or abnormal behavioural patterns even from privileged users.
In addition to addressing the above requirements, a PAM system offers comprehensive password and cloud security. It also provides a complete audit trail of user activity to help in review and compliance.
Sectona Can Help Address Access Management Requirements for PCI DSS Compliance
The Sectona Security Platform is a purpose-built solution that streamlines the management and security of privileged accounts across endpoints (both on-premises and on-cloud), from creation until deletion, all the while adhering to major cyber security compliance regulations like PCI DSS, ISO/IEC 27002, and others.