There was widespread acknowledgment among PCI SSC conference attendees that PCI DSS v4.0 reinforced recognition within the payments industry that the DSS has evolved from being a simple checkbox compliance exercise to an established and reliable baseline measure of an organization’s security posture. As the importance of risk-based prioritization in providing enriched proof of security findings is more widely understood, PCI assessments are now conducted on a more consistent, continuous basis.
Prioritizing Identification of Threats and Vulnerabilities: Unique Challenges
The PCI DSS aims to ensure companies achieve data protection through a risk-based approach through measurement of the effectiveness of security controls. As the threat landscape becomes increasingly complex and sophisticated, targeting an ever-expanding attack surface, PCI standards must constantly evolve to ensure that security gaps are detected and properly identified. But adhering to changes to standards is often not easy and creates added burdens for already-strained security teams. As noted in the 2022 Verizon Payment Security Report, PCI DSS requirements 6 and 11 – which make organizations responsible for identifying and ranking vulnerabilities in their systems – have the lowest success rates, given the complexities involved.
Despite ongoing challenges with threat prioritization, companies must find ways to address these requirements – not only to meet PCI standards but also to protect customer data and preserve brand loyalty. For example, changes in PCI DSS v4.0 – specifically the new requirement 6.3 – enhance risk measurement and allow businesses to prioritize gaps much faster and more accurately. Additionally, the updated PCI DSS includes specific measures to enhance vulnerability prioritization with outside sources, such as threat intelligence, to provide enrichment and metrics to risk-ranking security gaps within systems.
Achieving Continuous Risk-Based Prioritization
When mixed with intelligence enrichment, the new PCI DSS 6.3 requirements can enable risk-based prioritization by:
1. Identifying gaps and vulnerabilities that attackers exploit:
Relying on material data that helps determine the risk to systems due to gaps combined with proactive threat intelligence can help identify vulnerabilities that pose critical risks to the environment and how they should be ranked.
2. Continuously measuring the real risk of vulnerabilities across the enterprise:
The customized approach objectives in requirement 6.3 specify that “new system and software vulnerabilities that may impact the security of account data or the CDE are monitored, cataloged, and risk assessed” and that “this requirement is not achieved by, nor is it the same as, vulnerability scans” – emphasizing continuous assessment and reassessment of vulnerabilities to ensure systems do not fall prey to new and regenerated vulnerabilities. When enhanced with updated threat intelligence, organizations can identify and protect themselves from new, critical vulnerabilities and the dreaded negative-zero-day vulnerabilities – cyber-attacks based on an existing vulnerability that has been cataloged but can be re-generated, often when outdated systems lack the patches to protect against the reused attack.
3. Ensuring proper prioritization of vulnerabilities with measurable enforcement:
Moving away from point-in-time scans towards continuous, active monitoring backed by industry sources of intelligence and threat metrics means organizations can more quickly and accurately identify at any time the real risk of evolving vulnerabilities.
Accelerating Risk Assessment and Ranking with Continuous, Real-time Intelligence
Risk intelligence empowers security professionals to analyze information early in the exploit lifecycle to understand the intent, capabilities, and opportunities that adversaries are taking in cyberspace. This type of insight gives payment security professionals a preemptive jump on threats to defend against a wide range of cyberattacks targeting their organizations. ;
By aligning vulnerabilities with accurate threat metrics to discover the risks that any new or existing vulnerability poses to the business, security teams gain much-needed help, and a sanity check within requirement 6.3. There are technology solutions that move risk ranking into a continuous state by allowing payment security professionals and security assessors to analyze vulnerabilities in real time and without the need for exhaustive scans and collections. This allows them to understand system security gaps at any point in time – and as a result, they can accelerate the auditing of systems against PCI DSS and shorten remediation and mitigation cycles for security issues.
Keeping up with the ever-changing regulatory landscape helps organizations strengthen cyber defensiveness and protect customer data while meeting compliance requirements. While the benefits are clear, the methods for achieving regulatory compliance can be burdensome and overwhelming. With continuous risk intelligence and real-time threat metrics, security teams gain the upper hand in the ongoing battle against cybercriminals and maintain customer confidence and loyalty.