A criticism often aimed at Payment Cards Industry‘s (PCI) Data Security Standard (DSS) is that it sets the bar too high. Often security practitioners find fault in the way that PCI DSS does some things (minimum password lengths anyone?). The truth is probably somewhere in between these two extremes. There are parts of PCI DSS that could be considered as best practices, but there are also areas that could use some updates. We’ll be talking about many of those updates when version 4 is released in 2022.
But just because PCI DSS sets the bar lower in some areas and higher in other areas doesn’t mean that there aren’t good opportunities to do better. PCI DSS never sets a highest possible limit for how you can do things, but often uses the words “at least” and “at a minimum”. In the language of ISO 27001, look at these as “opportunities for improvement” and “continuous improvement”. While PCI DSS does not specifically require you to do better than the minimum, there are good reasons to see where you can rise above the bare minimum – and easy ways that you can do this.
Suggestions for “Doing Better”
Increase Password Length
We know that NIST recommends longer passwords that aren’t changed as frequently, and while PCI DSS hasn’t quite caught up to the frequency of password changes, there is no reason why you can’t increase the minimum password length to 8 or 12 characters instead of the PCI DSS minimum of 7 characters.
Vulnerability Scans
If you don’t already have to do vulnerability scans as part of your PCI DSS requirements, consider adding them into your security toolbox. Scans can help you identify vulnerabilities in software and configurations before someone takes advantage of them. If you must do external vulnerability scanning, consider adding internal vulnerability scanning in too so that you can ensure that you identify all vulnerabilities early. When doing internal vulnerability scans also take the opportunity to:
- Remove any old applications and software that are no longer required or supported, and
- Make sure internet browsers are updated when new releases become available – which is very frequently with Chrome and Firefox. Force them to automatically update.
More Frequent Scans
If you already do quarterly vulnerability scans as part of your PCI DSS requirements, consider running these scans more frequently. Running the scans at a weekly or monthly cadence instead of the minimum quarterly frequency not only helps you identify vulnerabilities early, but also helps you to ensure that you can fix or mitigate them so that you can ensure that you have at least one passing scan every quarter. Doing more frequent scans decreases the risk that there’s a quarter where you won’t be able to achieve a passing scan.
Multi-Factor Authentication
PCI DSS requires multi-factor authentication (MFA) for all administrative access. So why not start expanding the use of MFA into other areas? Require MFA for web interfaces that support it or consider whether it might also be possible to use MFA for your people to log in to their machines. And if possible, consider how you could also allow your customers to enable MFA on their accounts. While not all customers may want to use it, allowing people to enable it helps them keep themselves safer online and shows your commitment to security.
Review Your Risk… Regularly
And so that you don’t start thinking that all the controls that can be improved need to be technical controls, start thinking about how often you review your risks versus how often the risk environment changes. We saw a lot of change in 2020 and 2021. And the risks that may have been identified at the start of 2020 are unlikely to be the same 3 or 6 months later, let alone a whole year later. As many people moved from brick and mortar to online stores, the risk profile changed. As more people have moved online, the number of attacks has increased – Check Point reported that in the APAC region, there was a 13% increase in cyber-attacks – or approximately 1,338 attacks per week. Reviewing your risk more frequently can help you stay aware of changes and help you understand which controls might need to be prioritised.
Need Help?
At Confide we help you ensure that you continue to grow in your security maturity. We identify ways that you can improve what you’re doing as part of our assessments, and we work with you to understand how you can fit best practices into your own practices without compromising on security or compliance.