How Cyber Threat Intelligence Interlocks with PCI DSS v4.0
October 5th, 2020
Subscribe to our blog and stay up to date
PCI DSS v4.0, the latest update to Payment Card Industry’s Data Security Standard, is expected to be officially released at the end of the year, but the draft version is currently being circulated within the PCI member community and will certainly be a hot topic at this year’s North American Community Meeting of the Security Standards Council. IntSights is thrilled to announce the launch of its PCI threat intelligence offering in advance of the new PCI DSS standards.
PCI DSS 4.0 is currently in the second round of review. The current feedback period, which runs from Sept. 23 to Nov. 13, gives industry members a chance to weigh in on the new standard. To date, the general outline presents a new, more proactive and risk based standard taking shape.
The high-level goals are to ensure the standard continues to meet the security needs of the payments industry, to add flexibility and support of additional methodologies to achieve security, to promote security as a continuous process and to enhance validation methods and procedures.
This year’s PCI Security Standards Council Community Meetings (North America, Europe and Asia-Pacific) will be conducted online in October and November, bringing the PCI SSC community together for networking, sharing insights and hearing about important Council updates. I will be speaking at the European community meeting on the topic of “How Modern Cyber Threat Intelligence (CTI) Can Be Used to Accelerate PCI DSS Compliance.”
For those unfamiliar with cyber threat intelligence, it provides an effective way to analyze information about the intent, capabilities and opportunities of adversaries in cyberspace in order to defend against a wide range of threats that are challenging organizations.
CTI systems collect data from social media, app stores, leaked databases, chat channels, dark web forums and black markets; then conduct threat actor research using both machine learning algorithms and human analysis. The result is actionable intelligence on attack indicators, data leakage, phishing, brand impersonation and fraud.
In the context of PCI compliance, CTI enables organizations to quickly discover and qualify security control gaps. CTI can also help organizations prioritize vulnerabilities based on quantitative risk metrics. In addition, CTI helps companies to stay on top of PCI DSS security policy hygiene through continuous analysis and alerting.
According to the Verizon Payment security report 2019, one of the leading causes of data breaches in PCI-covered organizations studied within the report, is a failure to meet Requirement 6, which is vulnerability risk ranking. CTI can enrich PCI vulnerability prioritization by integrating with traditional vulnerability management techniques; providing continual assessment of external risks so that security professionals can re-prioritize patch management efforts; and incorporate broader threat intelligence from across the web to uncover vulnerabilities that traditional vulnerability assessment tools don’t catch or fail to weigh appropriately based on associated exploits and threats.
In addition, CTI can provide a sanity check when it comes to protecting credit card data by enhancing the pre-assessment routine and giving organizations a second set of eyes when it comes to vulnerabilities that may create violations and weaknesses to data security policies.
CTI can also be used to analyze a company’s digital footprint in order to discover potential attacks that are related to systems involved in payment transactions before any exploit is carried out, and empower security teams to fortify their defenses. In addition, CTI can provide a pre-emptive view of threats that may target an organization in the future.
For example, CTI solutions have the ability to track the types of malware that threat actors are looking for on the dark web. In one case, security researchers spotted an increase in threat actors seeking Point of Service (PoS) malware. This type of advanced warning can be invaluable for companies who want to stay one step ahead of the bad guys.
Summing up, CTI can be deployed in order to align threat intelligence with an organization’s cybersecurity framework, it can measure compliance with regulatory requirements, and it can align with global privacy laws and regulations, such as PCI DSS 4.0.
For more on how PCI requirements impact global business, download our report on the reopening brick-and-mortar retail sector.
Christopher Strand is the Chief Compliance Officer at IntSights. As CCO, he is responsible for leading the global security risk and compliance business, helping companies bridge the gap between cybersecurity and regulatory cyber-compliance. Chris has more than 20 years of subject matter expertise in information technology and security audit assessment and he specializes in developing enterprise security platforms and markets within hyper-growth organizations. Prior to joining Intsights, Chris launched and led the cyber-compliance business at Carbon Black (acquired by VMWare), and has held leadership and compliance specialist roles at other flagship security companies such as RSA, Trustwave, and Tripwire.
Stay up to Date!
Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.