PCI DSS v4.0: Be Proactive, Not Reactive
Introduction
Rather than embrace the positive changes that PCI DSS v4.0 provided, we saw organisations dragging their heels to transition to the updated PCI DSS Requirements.
Supposing that the Card Brands and the PCI Security Standards Council updated these PCI DSS Requirements to help mitigate the emerging threat landscape. Why wouldn't businesses involved with payment card-based operations embrace these changes?
The main reasons that I can think of is:
APATHY?
This wasn't helped by 萬事達卡 extending the deadline to transition across to the new version. If these changes were to reflect the changing threat landscape, why would you extend the date, especially given that the in-scope entities had already been given two years to transition across?
With this in mind, it makes you wonder how many of these businesses will proactively apply PCI DSS Requirement 6.3 or will continue to reluctantly adopt the changes as the next versions are released.
Lessons Learned From Military Operations
As you can imagine, the tactics used by the insurgents against the military patrols in Afghanistan were very quick to adapt to the mitigation measures that were implemented. Consequently, military chiefs needed to constantly monitor and respond to any new threats and vulnerabilities.
At Kandahar, in 2007, the Force Protection offbase patrols utilised highly mobile and lightweight Wolf and WIMIK Landrovers.
Although these highly mobile vehicles allowed for a wider variety of routes, reducing the likelihood/probability of an insurgent being able to successfully plant an Improvised Explosive Device (IED), if they did the significance/impact would be high (Serious injury or loss of life).
Consequently, by 2008, the UK Government had responded to these threats by investing around £500 million in the procurement of around 600 heavily armoured patrol vehicles, such as the Mastiff and the Jackal.
These newly fortified, armoured, patrol vehicles had been designed to be more resistant to the IEDs, their extra weight and size made them less mobile and, consequently, the routes that they were able to navigate were significantly reduced.
As a result, the insurgents adapted their tactics by making their IEDs bigger. In fact, the explosive charge could be so great that if struck, the vehicles could be blown a full 180 degrees or the vehicle would be completely disabled. However, the new V-shaped underbody of the vehicles would successfully deflect much of the blast, protecting the occupants from the full force of the blast.
With the vehicles being less mobile, the variety of routes that could be taken became limited, so it was easier for the insurgents to target the most likely routes that would be used, increasing the probability/likelihood of a successful strike.
Although the risk of the loss of life was reduced, the impact/significance remained high, and the likelihood/probability of these vehicles hitting a higher explosive IED was greatly increased (especially, when the occupants became increasingly reliant on the vehicle's armour for their protection).
Consequently, the high likelihood and major significance (serious injury, loss of patrol vehicles) still remained high and was at risk of exceeding the risk appetite levels.
The UK Government needed to adapt their risk responses, once more, and by 2012 had introduced the Foxhound to the fleet of deployed patrol vehicles.
The addition of the Foxhound armoured patrol vehicle was to create harmony between protection and mobility. Consequently, the risks to the off-base patrols were to be reduced to within the acceptable risk appetite levels.
Recommendations
You may not have given PCI DSS Requirement 6.3 a great deal of thought but, much the same as the military operations in Afghanistan, the threats to payment card operations operations are extremely dynamic and can evolve at pace.
Just think how quickly the Magecart threat actors adapted their tactics to successfully exploit and profit from all those eCommerce Merchants who had been using the services of a PCI DSS-compliant third-party payment service provider, via an embedded iFrame or redirect.
The first reported Magecart-style attack was purported to have taken place in 2010, with the escalation to large-scale breaches first being reported in 2015.
However, it took 7 years for the SAQ A to be updated to include suitable mitigations for these Magecart-style attacks and for those eCommerce websites that are using embedded iFrames, the additional PCI DSS requirements to mitigate these threats, are not mandatory until 31 March 2025.
Be proactive and do not wait for the Card Brands and the PCI Council to mandate your risk responses.
Think:
Conclusion
PCI DSS Requirement 6.3 is just one example of some of the complexities of PCI DSS v4.0 and the importance this plays in going 'above and beyond' compliance, to help reduce the risks to your organization's payment operations/channels.
It becomes even more complicated when you start to identify the integrated nature and dependencies within the PCI DSS v4.0 framework and this is where a proficient assessment can help an assessed entity to truly understand what is needed and the importance of each PCI DSS Requirement.
However, a proficient assessment needs to balance the QSA services against the costs needed to carry out an assessment and the growing length and complexities that come with the new PCI DSS v4.0 Report On Compliance (ROC) template make this balancing act ever more difficult to maintain.
Here at 27k1 Ltd , we appreciate the enhancements that have been made to the PCI DSS standard and value that a highly-skilled, knowledgeable Qualified Security Assessor (QSA) can provide to one of their assessees.
Consequently, we are passionate about providing the QSAs with a solution that gives them more time to focus on assessing and validating the in-scope PCI DSS requirements, so that they can provide more value and mentorship to their valued clients.
Through the use of the ROC Management System (RMS), QSAs will be able to reduce the time spent completing laborious administrative tasks, so that they can focus on what they do best: