The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard set by five major payment brands to protect cardholder data from exposure. Compliance with the PCI DSS is required by any entity that stores, processes or transmits cardholder data. Most organizations perform some form of PCI assessment in order to comply with PCI DSS.
The biggest misconception for many organizations is that if you pass the assessment, you’re secure. In reality, PCI-compliant companies continue to suffer the loss of countless customer and cardholder data, along with impact to the brand due to breaches. Target is of course one of the biggest examples. Breached in 2013, they were certified to be PCI compliant just weeks before.
Security and industry leaders have been trying to understand why this is happening. Some have opined that PCI DSS is ineffective; others believe the way organizations are approaching PCI DSS compliance is flawed. The answer is probably a little of both.
While compliance should be nothing more than a by-product of a good security practice, it doesn't always equate to organizations actually being secure. Today, organizations have point-in-time snapshots providing evidence of compliance; thus, their ability to know if they are truly secure, are limited to that point in time. In addition, while the goal of PCI DSS is ultimately to secure against a payment data breach, we’re missing the hacker’s perspective if we're focused only on checking off a list of requirements.
What is needed is a new approach - continuous compliance using hacker breach techniques.
Breach simulations enable this.
Using breach simulations, organizations can continuously validate that the security controls protecting Cardholder Data Environments (CDE) are working as expected from the perspective of the adversary. Organizations can then be proactive about identifying security gaps instead of waiting for an annual assessment. The compliance state than becomes the result of an organization’s security processes.
There are a number of unique advantages of using breach simulations to assist with PCI compliance:
- Continuous validation of security posture: Breach simulations run continuously, so security teams know at all times—not just annually or biannually—whether security measures are working properly. This enables security teams to address security gaps as well as quicker audit preparation, with respect to the Cardholder Data Environment (CDE). Breach simulators “attack” one another; thus there is no impact to actual users or the environment.
- Reduces or validates the true scope of compliance: Changes in system or network configuration, for example, a new firewall rule that permits connectivity between a system in the CDE and another system could bring additional parts of the environment into scope for PCI DSS. Unauthorized, undocumented or forgotten changes are constantly happening which can open a gap and unbeknowingly bring a CDE into scope. Breach simulations can be used to validate that connectivity is not possible, thus reducing or validating the true scope of compliance.
- Understand true PCI impact: Breach simulations use a black-box approach, (i.e. no prior knowledge of the environment is required) and incorporate a comprehensive “hacker’s playbook” of threat types and sophistication level including brute force, exploits, malware, and remote access tools. Breach simulations provide a more accurate real-world scenario of what a hacker can do in an organization's environment, accurately predicting if the PCI environment can be breached and providing perspective of what can occur if the PCI environment is breached. Through this ,an organization is better able to truly measure their level of risk.
- Proactively update PCI scope: When changes occur – new systems, new users or organizational changes (M&A)-- it can create security and compliance gaps. Compound this with the accelerated rate of change and you add an infinite multiplier to the creation of gaps. Breach simulations can pinpoint new PCI requirements for the environment due to change. For example, imagine that simulators are placed in three zones in the data center – segment A, segment B, and segment C. Today, credit card data may just reside in Segment A. If changes are made such that Segment B will soon gain access to credit card data, breach simulation data provide an immediate understanding of the impact of this change and the security scope so that security teams can proactively update their PCI scope and implement appropriate security controls.Identifying these gaps, and having the ability to proactively remediate them ahead of an audit saves a lot of headaches forsecurity teams. Essentially, you have continuous validation of segmentation.
- Validating compensating controls: Compensating controls may be considered for most PCI DSS requirements when an organization cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints. When this occurs, the organization can mitigate the risks associated with the requirement via compensating security controls. Breach simulations can demonstrate to PCI auditors that these compensating controls are working and are effective alternatives… or they can help organizations identify where they are needed and where they can be placed.
For more information on how SafeBreach can help with PCI compliance, download our whitepaper here.