PCI DSS Payment Card Industry Data Security Standard Payment Card Information Protection Standard

The PCI DSS standard is designed to ensure the security of processing, storage and transmission of data about payment card holders in information systems of companies working with international payment systems Visa, MasterCard and others. The standard was developed by the PCI Security Standards Council community, which includes world leaders in the payment card market, such as American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International. The requirements of the PCI DSS standard apply to all companies that process, store or transmit data on payment card holders (banks, processing centers, service providers, electronic trading systems, etc.). In Russia, compliance with the PCI DSS standard has become mandatory for use in relevant organizations since 2007.

According to Analysys Mason research, approximately 42% of cloud service providers comply with PCI DSS (Payment Card Industry Data Security Standard) data security standards. They operate around the world and concern all organizations that process credit cards, as well as store or transmit information about their holders. This standard was introduced to give the payment card industry more control over sensitive data and eliminate the possibility of its leakage. Also, it is designed to protect consumers from fraud or identity theft when they use credit cards.

According to both Visa and MasterCard classification, systems that process, store or transmit data on more than 6mn transactions per year belong to the first level (Level 1) and are required to undergo annual audits.

2022: PCI DSS 4.0 Standard Publication

On April 5, 2022, it became known that the PCI Security Standards Council (PCI SSC) published version 4.0 of the PCI Data Security Standard (PCI DSS).

Version 4.0 offers a basic level of operational and technical requirements designed to increase the security of payments, and replaces version 3.2.1. In addition, this version is designed to use innovative methods to combat threats.

As explained by PCI SCC specialists, the changes were made based on the reviews and wishes of the global payment systems industry over the past three years.

Changes to PCI DSS 4.0 include:

• "Expansion of Requirement 8" requiring multi-factor authentication to access cardholder data;
• Updated firewall terminology for network security controls, supporting a wider range of technologies used to perform security tasks previously performed by firewalls;
• Increased flexibility for enterprises to demonstrate different security practices;
• Targeted threat analysis that enables organizations to decide how often they will perform certain actions that are most appropriate to address the risks and needs of the organization.

The current version of 3.2.1 will be valid online for two years until March 31, 2024. Thus, organizations will have enough time to study and implement version 4.0.^[1]

2016

PCI DSS version 3.2 updated

On April 28, 2016, the PCI SSC Board on the official website published a press release on the release of the PCI DSS 3.2 data security standard. The version is unscheduled (usually the Council publishes new versions in the fall), but at the same time the changes in it are considered minor^[2].

In addition to corrective edits made to correct typos, formatting errors, punctuation, etc., a number of refinements and additions appeared in the new version of the standard, a number of requirements. These requirements are still advisory in nature, but from February 1, 2018 they will become mandatory. These include the following (applicable to all organizations):

• For all changes to the information infrastructure, it must be further verified that all applicable PCI DSS requirements are met for the affected components. In other words, if you have made any changes to the information infrastructure, you need to make sure that compliance with the standard has not been violated (for example, update network and data flow diagrams, conduct scans for vulnerabilities and other similar measures);
• for remote non-console administrative access, multi-factor authentication must be implemented in the scope of the PCI DSS standard.

Applicable only to service providers

• if used enciphering , the encryption architecture must be documented. Key management algorithms, protocols and procedures should be described and maintained;
• it is required to monitor the serviceability of safety systems. In case of malfunctions of such systems, follow the response procedures and register the failure;
• penetration testing in terms of network segmentation should be carried out at least once every six months, as well as after making any critical changes to the information infrastructure;
• The organization must implement a high-level document that describes the PCI DSS compliance program and appoints a responsible person to monitor its implementation and keep the organization's management informed about the status of the program;
• At least once a quarter, it is necessary to verify that employees of the organization correctly perform procedures for the daily analysis of event logs, revision of firewall rules, application of configuration standards for new systems, response to security system signals, and follow change management procedures.

In addition to additional requirements, the text of the standard has been clarified:

• if a PA-DSS certified application is used in the field of applicability of the PCI DSS standard, but its support by the manufacturer has ceased (for example, the software has the status "End-of-life"), then this application will no longer be able to provide the necessary level of security. Therefore, the standard recommends monitoring the support status when selecting PA-DSS certified applications;
• In determining the scope of the PCI DSS standard, systems that ensure the continuity of information infrastructure components should be taken into account: backup and recovery systems, fault-tolerant systems;
• All standard settings must be changed and standard accounts disabled before the information infrastructure component can be derived. According to the explanation, this requirement also applies to payment applications;
• added a note to the verification procedure for finding the full PAN card number in the logs of information infrastructure components. The clarification is that logs need to be analyzed for payment applications as well;
• added a note to requirement 3.4.1 for disk encryption: this requirement applies in addition to all other requirements for encryption and key management in the field of applicability of the standard;
• Developers must be trained in secure programming at least annually;
• added a note to the access control requirement. The standard admits that there may be several such systems in the organization;
• It is clarified that the access control system can be either a video surveillance system, or MCDS, or both technologies at the same time;
• If only vendor remote access to the information infrastructure was to be controlled in PCI DSS version 3.1, release 3.2 specifies that remote access control of any third party is required.

Application A2 includes specific requirements for organizations using SSL and earlier versions of TLS. This Application contains requirements for the use of POS terminals (it is necessary to have proof that POS devices are not susceptible to attacks on unsafe versions of protocols), as well as the requirement for the availability of a Plan for the transition to safe versions of protocols.

Preparing PCI DSS Version 3.2

February 27, 2016 it became known about the upcoming adoption of the PCI Data Security Standard version 3.2. The PCI Data Security Standards Board should adopt the standard in the first half of 2016, presumably in March-April^[3].

Innovations will affect all participants in the financial market related to bank card data transmission networks. According to the new rules, access to cards will be provided only if the requirements of multifactor authentication are met.

Troy Leach, the PCI Council representative responsible for the technology part, noted that he estimates that the 3.2 standard will help solve many of the accumulated problems related to the protection of personal data. According to Leach, the implementation of the PCI DSS 3.2 standard does not provide for a single-step transition to multifactor authentication.

The PCI Council has envisaged the need for a transition period of 18 months. During this time, market participants must have time to prepare for work in the new conditions. They will need careful planning of investments in this time period.

The standard will extend the rights of administrators of secure networks. They will be able to make the necessary changes to the settings, both network systems and related elements of the network infrastructure, if necessary to avoid possible compromise of the transmitting environment. Responsibility for network management can be assigned to both regular network administrators, controlled by the management of the management company, and third-party companies.

The new PCI DSS standard will be released ahead of traditional graphics. Until now, the PCI Council has strictly adhered to the following rule: a new version of the standard was issued once every three years, and the official announcement was in the IV quarter of the final year. The current announcement will take place more than six months earlier. The extraordinary release of a new version of the PCI DSS standard is a signal to the industry. It outlines major changes related to the transition to new encryption standards, which was announced at the end of last year. It will take a long time to implement them, but you need to start working immediately. Troy Leach

This is about not using SSL encryption protocols and TLS data presentation. For a period of time, doubts about their complete reliability grew rapidly. Security gaps appeared a few years ago. But the real blow to their reputation was the public release of this information. All this happened over the past two years.

The first of the vulnerabilities that became widely known is Heartbleed. This is due to a buffer overflow error in cryptographic component OpenSSL. Using this gap, attackers can be able to unauthorized read the contents of memory on the server or client. In a successful set of circumstances, they can retrieve the private key of the server and gain full access to the stored information.

Error initialization for a Heartbleed attack can occur through any network infrastructure element, including network printers. Each of these elements may be vulnerable to intrusion because it takes time to prepare and install patches in the drivers.

Another serious vulnerability that has become known in recent years is Poodle. It allows attackers to read user data protected by SSL 3.0. The most unpleasant thing was that the protocol specification affected the vulnerability. This allowed it to extend to all implementations of SSL 3.0 - from free OpenSSL to all commercial libraries shipped with the OS.

These events led security experts, in particular, the US National Institute of Standards and Technology, to agree that it is urgently necessary to abandon the use of the SSL protocol as outdated. As a result, they agreed on the date of complete rejection of SSL. This date was named June 2016.

But it turned out that it was difficult to withstand the planned deadlines. This is due to a number of technical and organizational problems that arise when introducing new systems in the financial industry. Therefore, you have to adjust the SSL end date. Troy Leach

In accordance with the PCI DSS 3.2 standard, SSL will be supported until 2018. But since many market participants are still not aware of the postponement of the date, it was decided to release a new version of the standard ahead of schedule, without waiting for November 2016.

2015: PCI DSS version 3.0

"

The new version of PCI-DSS 3.0 will turn the standard into an organic part of ordinary business operations," said eWeek Bob Russo, chief manager of the Payment Card Industry Security Standards Council (PCI SSC). - We want to try to wean people to believe that PCI-DSS can be done once a year, and then not think about it. In the real environment, gaps often arise. '

PCI-DSS was often considered only as a basis for checking the company for compliance, when you can tick that everything is in order at the moment, and calmly go to other cases. Russo emphasized that the new PCI-DSS 3.0 standard emphasizes training and policy, making payment security a daily task and an element of a constantly maintained order. The bottom line is that the standard will help to conduct a more coherent process-oriented control, which is especially important for large organizations. And it also strengthens the focus on ongoing responsibility, and not just on episodic PCI-DSS audit.^[4]

One aspect of criticism of the PCI-DSS standard is the lack of clarity in its provisions. For example, a standard might require an organization to deploy a Web Application Firewall (WAF) without detailing the desired network screen configuration or even explaining why it is so necessary. Such criticism was clearly and sharply expressed by PCI SCC members, and this required the development of a new improved standard.

In previous versions of the standard, there were always two columns explaining a safety control requirement. The first column formulated the requirement, and the second gave details of the testing procedure. In the PCI-DSS 3.0 standard, a third column should appear, where, according to Leach, there will be vital examples of risks that this security control is aimed at reducing.

So, in the case of WAF, the new standard will explain what this technology knows how to do and what types of risks it will help mitigate.

One important change in the PCI-DSS 3.0 standard is the use of passwords. In the past three years, PCI SCC has conducted a number of password reliability studies that have helped formulate new requirements.

Passphrases use a sentence with spaces between words (for example, "johnny walked a dog"), which serves as an alternative to a regular password. The new standard retains the requirement that passwords contain at least seven characters of letters and numbers, but adds an alternative option for using passphrases.

Although PCI-DSS 3.0 will be effective from January 2013, enterprises that comply with PCI-DSS 2.0 will be given a one-year deadline to transition to the new standard.

One of the requirements of PCI-DSS 3.0, which to trade will need to be completed in 2013, is the timely detection of malicious code. Regulation 5.1.2 was added to ensure that any person processing payment card data has a reliable risk management process in this area.

The PCI-DSS 3.0 standard constantly emphasizes the need for flexibility in security management, which must be provided in various constantly improving ways.

2010: PCI DSS version 2.0

On October 28, 2010, a new version of the PCI DSS standard was released, namely, version 2.0. It is difficult to call the changes introduced in the regulatory industry radical, they are mainly clarifications and clarifications. In addition, some verification procedures were grouped in a new way in order to simplify their perception and implementation when undergoing an audit.

Despite the fact that the version 2.0 standard entered into force on January 1, 2011, members of the payment card industry can use the previous version until the end of 2011. A similar initiative of the PCI SSC Council allows you to make a gradual transition to a new version. The next version will be prepared by the PCI SSC Board over a three-year lifecycle.

The Russian version of PCI DSS 2.0 is available on the PCIDSS.RU Community website: http://pcidss.ru/files/pub/pdf/pcidss_v2.0_russian.pdf

Subject to PCI DSS requirements

First of all, the standard defines the requirements for organizations whose information infrastructure stores, processes or transmits payment card data, as well as organizations that can affect the security of this data. The purpose of the standard is quite obvious - to ensure the safety of payment card circulation. Since mid-2012, all organizations involved in the process of storing, processing and transferring DPC must comply with the requirements of PCI DSS, and companies in the Russian Federation are no exception. To see if your organization is subject to mandatory PCI DSS compliance, we suggest using the simple block diagram^[5].

Two questions should be answered first:

• Are payment card data stored, processed, or transferred in your organization?
• Can your organization's business processes directly affect the security of your payment card data?

For negative answers to both of these questions, it is unnecessary to be certified by PCI DSS. In the case of at least one positive answer, as shown in Figure 1, compliance with the standard is necessary.

What are the requirements of the PCI DSS standard?

In order to comply with the standard, it is necessary to fulfill the requirements, which are outlined in the twelve sections given in the table below:

If you go somewhat deeper, the standard requires about 440 verification procedures, which should give a positive result when checking for compliance.

How can I confirm PCI DSS compliance?

There are various ways to verify compliance with the PCI DSS standard, which is to conduct external audit (QSA), internal audit (ISA), or self-assessment (SAQ) of an organization. The features of each are illustrated in Table

Despite the apparent simplicity of the methods presented, customers often face misunderstanding and difficulties in choosing the appropriate method. An example of this is the emerging issues listed below.

In what situation is it necessary to conduct an external audit, and in which situation is it necessary to conduct an internal audit? Or is it enough to limit yourself to the self-esteem of the organization?

The answers to these questions depend on the type of organization and the number of transactions processed per year. You cannot be guided by a random choice because there are documented rules governing which way the organization will use to confirm compliance with the standard. All these requirements are established by international payment systems, the most popular of which in Russia are Visa and MasterCard. Even there is a classification according to which two types of organizations are distinguished: trade and service enterprises (merchants) and service providers.

A trade and service enterprise is an organization that accepts payment cards for goods and services (shops, restaurants, online stores, gas stations, etc.). A trade and service enterprise is an organization that accepts payment cards for goods and services (shops, restaurants, online stores, gas stations, etc.).

Depending on the number of transactions processed per year, merchants and service providers can be assigned to different levels.

For example, a trade and service enterprise processes up to 1 million transactions per year using e-commerce. According to Visa and MasterCard classification (Figure 2), the organization will be classified as Level 3. Therefore, to verify PCI DSS compliance, quarterly external vulnerability scans of ASV (Approved Scanning Vendor) components and annual SAQ self-assessment are required. In this case, the organization does not need to collect certificates of conformity, since this is not necessary for the current level. The report document will be the completed SAQ self-assessment sheet.

ASV (Approved Scanning Vendor) - Automated scanning of all information infrastructure connection points to the Internet to detect vulnerabilities. According to the PCI DSS standard, this procedure should be performed quarterly.

Or consider an example with a cloud service provider that handles more than 300,000 transactions a year. According to the established classification of Visa or MasterCard, the service provider will be classified as level 1. Therefore, as shown in Figure 2, a quarterly external vulnerability scan of the ASV information infrastructure components as well as an external annual QSA audit is required.

It is worth noting that the bank involved in the process of accepting payment cards for payment for goods or services, the so-called acquiring bank, as well as international payment systems (MEAs), can override the level of a trading and service enterprise connected to them or a service provider used according to its own risk assessment. The assigned level will take precedence over the classification of the international payment system indicated in Figure 2.

Is a one-time violation of ASV scanning a serious risk in terms of PCI DSS compliance?

An organization with PCI DSS status must meet a number of requirements on a regular basis, such as performing quarterly ASV scans. With the initial audit, it is enough to have a documented ASV-scan procedure and the results of at least one successful audit over the past three months. All subsequent scans should be quarterly, the length of time should not exceed three months. Violation of the schedule of external scans on vulnerabilities entails the imposition of additional requirements for the information security management system in the organization. Firstly, it will still be necessary to conduct an ASV scan for vulnerabilities, to achieve a green report. And secondly, it will be necessary to develop an additional procedure that will not allow such schedule violations in the future.

Cisco PCI DSS Compliance Study

After major card payment system hacks that have occurred in recent years, organizations that do not want to share the sad fate of the victims began to actively discuss the implementation and compliance with information security standards PCI DSS, PA DSS, PTS, etc. At the request of Cisco, the analytical company InsightExpress interviewed 500 American executives making decisions in the field of information technology to find out their attitude to the PCI DSS standard (Data Security Standard) five years after its development and at the time of the release of its new, second version.

The survey included IT executives responsible for meeting PCI specifications in organizations from education, financial services, government, health, and retail. The researchers wanted to accurately assess their relationship to the PCI DSS standard, measure the cost of implementing it, and identify problems associated with meeting these regulatory requirements, as well as evaluate the spread of certain technologies to better understand how organizations are guided by the PCI DSS specification. It turned out that:

• 70 percent of respondents believe that compliance with the PCI DSS standard makes their organizations more secure;
• 87 percent of respondents believe that the requirements of the PCI DSS standard are necessary to protect the data of payment card holders;
• Of all industries, retailers and financial institutions best meet PCI DSS requirements; Retail took the implementation and implementation of the standard very seriously;
• 67 percent of respondents expect their PCI DSS compliance costs to increase over the coming year; this means that company leaders and board members consider PCI DSS a very important initiative;
• in addition, 60 percent of respondents suggested that efforts to comply with the PCI DSS standard could stimulate other network and network security projects.

When asked about compliance problems with PCI DSS specifications, respondents most often mentioned the need to train employees to correctly handle the data of payment card holders. According to 43 percent of respondents, there are problems in this area. In addition, 32 per cent mentioned the need to upgrade legacy systems.

According to respondents, out of 12 PCI DSS requirements, it is most difficult to comply with the requirements to track and monitor all cases of access to network resources and user data (37 percent), develop and support secure systems and applications (32 percent) and protect the stored data of cardholders (30 percent).

The audit of PCI DSS requirements is best handled by government organizations. However, the vast majority of other organizations also try to protect the confidential data of cardholders.

• 85 percent of respondents believe that their organizations are currently able to successfully pass the PCI DSS audit, and 78 percent have successfully completed such an audit the first time;
• surprisingly, the highest results in this area were shown by state organizations: 85 percent of state institutions passed the PCI DSS audit the first time successfully. Medical organizations underwent the worst such audits (72 percent);
• over 85 percent of respondents are familiar with the explanations and recommendations for the recently announced new version of the PCI DSS 2.0 standard.

The most notable were answers to questions about the role of technology in the payment environment. An amazing fact has opened up: organizations are introducing new technologies in advance, even before the release of the relevant directives of the US Council for the Implementation of Security Standards in the Payment Industry (PCI Security Standard Council).

Although the board made recommendations on technologies not openly included in the DSS specification, such as point-to-point encryption and EMV (Europay, MasterCard and Visa card systems with microprocessors and PIN codes), accurate standards for point-to-point encryption still do not exist. Nevertheless, organizations accept this technology in the hope of "compressing the user data environment," that is, reducing the requirements for computer systems processing data of payment card holders. In addition, although the board provided some clarification about virtualization, the world is waiting for more information on this issue. At the same time, many organizations do not wait for clarification of the board and introduce best practices in the right areas on their own.

• 57 per cent of respondents are satisfied with the current security status of the virtual environment in their organizations;
• 36 percent want to increase the number of virtual security devices (firewalls and intrusion prevention systems) to meet PCI 2.0 requirements;
• 30 percent strive to increase the security of virtualization software using the methods recommended by manufacturers and the PCI DSS standard;
• 60 percent of organizations use point-to-point encryption to simplify security compliance and reduce the next PCI DSS audit whenever possible.
• almost 70 per cent of financial institutions use point-to-point encryption;
• 45 percent of respondents said they use EMV specifications to reduce the likelihood of fraud;
• another 23 percent do not use EMV, but are thinking about implementing this technology.

PCI DSS Development Prospects

The main threat to all participants in the payment card industry is no doubt fraud. In the UK alone, damage from fraudulent transactions with plastic cards for the 2011 year amounted to 341mn pounds, according to the British Association for the Prevention of Fraud (FFA). Unfortunately, statistics are typical for many countries^[6]

The main three types of fraud are based on the theft of the personal data of the cardholder. If you arrange them in descending order of popularity among fraudsters, then you will get the following picture. Cardnotpresentfraud - performing operations that do not require the direct presence of the cardholder. This allows fraudsters who managed to take possession of the data printed on the customer's card to make purchases on his behalf, for example, in online stores. Skimming- a copy of his card data that is invisible to the client for subsequent production of a duplicate and performing operations with it. And in third place in distribution will be the theft or loss of cards.

No warranty

Fortunately, since 2004, the PaymentCardIndustrySecurityStandardsCouncil organization has assumed responsibility for standardizing and consolidating the protection of cardholder data. It has developed the well-known PCIDSS standard, which today includes 12 requirements. Their implementation allows you to resist the theft and unfair use of cardholders' data, which is stored in the systems of the processing center or any other organization that processes such data in one way or another.

In Russia, the VISA payment system even made the developed standard mandatory for certification for its members. Therefore, every year, most Russian organizations, in one way or another engaged in the processing or storage of card data, have the task of preparing their kPCIDSS audit systems. But the paradox of the situation is that a lion's share of resources and funds is allocated for tasks related to preparation for audit. However, an organization that has received a PCIDSS compliance certificate does not provide itself with the proper level of protection against major types of fraud. According to statistics, the main damage falls on e-commerce operations and the manufacture of fake cards. The current requirements of PCIDSSS in most cases do not allow them to be prevented.

Methods of wrestling

Members of the payment card industry independently develop mechanisms for protecting against such crimes. First, a 3-DSecure protocol has been created to provide an additional level of security for online credit and debit card transactions. The use of this protocol allows you to implement the principle two-factor authentications of "I have something and know something" when making online payments. This approach, in turn, greatly reduces the risks of the acquiring bank offering e-commerce services. Secondly, more and more chip cards with support for dynamic data authentication (DDA) are being produced. Making fake cards based on them is a difficult task today.

If we consider the example of the same UK, which is the most active participant in the community of states that pay special attention to countering crimes in the payment card industry, then the beginning of the transition of most banks of this country to the issuance of chip cards in 2004 reduced the losses associated with the manufacture of fake cards by four times!

Also, speaking of modern means of countering threats, one cannot fail to mention the currently actively developing frode monitoring systems (Fraudpreventionsystems). They are designed to recognize a fraudulent transaction directly at the time of an attempt to perform it through predetermined rules.

Thus, the main value of the phrod monitoring system is precisely an effective set of rules. It can be obtained in two ways. Firstly, based on the experience gained by the employees of the processing center itself, which uses the system. Secondly, by assimilating data on already completed transactions by the system, which is a more automated approach, including eliminating possible employee errors. While there is still much to develop in order to be truly effective, the economic impact of such technologies can be very serious in the long run.

Sad statistics

But even if organizations have such protection tools, there are no fewer cases of fraud in Russia. This problem is especially acute due to the active growth of the e-commerce market. Obviously, if we do not make an active effort, the volume of fraudulent transactions will grow, at best, at the same pace. So far, this is happening: according to statistics, the volume of crimes in 2010 compared to 2006 has increased several times! The continuation of the trend may jeopardize the further development of electronic commerce!

The reason for the depressing statistics is likely to lie in the fact that many e-commerce service operators do not use modern fraud protection. The market has a large share of magnetic stripe cards, the most vulnerable to cloning. Many banks allow their customers (online stores) to conduct e-commerce transactions, authenticating the buyer only by CVV2/CVC2. as a result, the percentage of "protected" transactions remains very low. Solution Paths

It seems that the standardization and consolidation of the efforts of all participants in the payment card industry to develop and implement such protections is also advisable to entrust the PCIDSS community. After all, the tasks of their implementation fully correspond to the ideology of the standard. More importantly, in this form, PCIDSS certification will receive the status of a procedure that will really allow banks and other community members to significantly reduce their own costs and increase customer confidence. So far, the cost of refining the processing systems that are required for certification (for example, in terms of data encryption) allows you to effectively deal with the smaller problem of internal fraud and hacker attacks from outside.

Of course, introducing modern security measures will cost even more to implement compared to preparing for PCI DSS audit. First of all, the new approach will "hit" small organizations. But if you highlight a special level of compliance in the standard, including the requirements to use the main technologies described above, then, of course, popularity will increase from it. In fact, the process of standardization of these technologies will begin, which will allow to more effectively respond to emerging challenges. This means that the security of payments using plastic cards will increase.

In addition, legislation is developing towards increasing the responsibility of card service providers. Investment in fraud protection will help banks take preventive measures and thereby minimize losses.

9 PCI DSS Compliance Issues

The results of the study showed that 32% of companies dealing with data on bank card holders do not have a clear information security policy, 12.6% use simple passwords to access IP, 15.3% transmit data on payment card holders in unencrypted form by e-mail.

Companies that process, transmit or store data about bank card holders must have security controls and controls in accordance with the requirements of the PCI DSS standard. Specialists of WatchGuard Technologies conducted a study in which 1,000 companies from Russia, the CIS countries and Eastern Europe participated. Based on the results of this study, 9 main problems of implementing the requirements of the standard were identified. And they recommended how these problems can be avoided.

Lack of a clear information security policy

To meet PCI DSS requirements, companies must create a clear information security policy that includes rules on operating security, system usage, security management, and more. In 32% of respondents, it is completely absent.

A monkey or a dragon?

12.6% of respondents indicated that when accessing information resources, simple passwords are often used, which the system has by default. They can easily be compromised. All these passwords must be changed during initial firewall configuration. According to recently published data, the most common passwords are: the words "Password," "Monkey," "Dragon"; simple sets of numbers and letters 123456, 1234567, 12345678, abc123; Standard arrangement of letters on the keyboard, such as "QWERTY" Letmein jargonism, trustno1.

Attempts to protect cardholders when your IPS system is disabled or missing

8.1% of respondents noted that one of the main problems is the lack of a network intrusion prevention system (IPS - Intrusion Prevention System). There are several ways to keep your credit card holders safe. IPS is one of the key security technologies that is often forgotten. For IPS hackers, the same as antivirus for viruses. The system blocks hackers from trying to enter the system and helps securely protect data about bank card holders. To ensure maximum protection of confidential information, the IPS system must always be kept in active mode.

Transmission of data on cardholders in unencrypted form through public public networks

15.3% of companies said that often data on payment card holders is transmitted in unencrypted form through regular email. Such actions can lead to theft and violation of the confidentiality of valuable information. To prevent this from happening, it is recommended to always use encryption, especially e-mail encryption, when transmitting data, which is a key component for meeting the requirements of the PCI DSS standard.

Open access to cardholder data

According to 10.2% of companies, approximately 80% of all security violations are caused by employees of the company. With easy access to confidential information, they can safely use it for personal purposes, which puts data on plastic cardholders at high risk. To reduce the number of violations, companies must use the "least privilege rule." Users should be given access to the minimum number of resources required to operate. If access to data is not limited, this can lead to a leak of data about cardholders. In such cases, it is recommended to use the RBAC (role-based access control) model, segregation of duties, and other forms of "least privilege rules." Following the rules will give the company confidence that users have access only to the data that they really need.

Violation of firewall installation and configuration rules

6.3% of respondents noted that most security violations are the result of incorrect firewall configuration. Output - only certified technicians should be configured. In addition, firewall settings must be audited regularly because IT resources and the company's information environment are constantly changing.

No antivirus systems or irregular update of antivirus databases

6.9% of respondents noted that the lack of gateway antivirus prevents them from fully meeting the requirements of PCI DSS. Unlike antivirus software, which is used on user workstations, gateway antivirus blocks threats on the perimeter of the network. Gateway antivirus is an additional layer of protection of information resources and sensitive data. Its important advantage is that the antivirus works on the perimeter of the network, and not on the workstation. Thus, the performance of local user computers does not decrease. To achieve the maximum level of protection, you need to use gateway antivirus along with additional antivirus software installed on user stations.

No application monitoring and control system

5.1% of respondents use outdated firewalls that cannot distinguish web applications from websites. In response, attackers often create special web applications that allow them to "bypass" the firewall and steal data about bank card holders. In this regard, the company needs to approach the task of protecting information resources in a comprehensive manner and use the next generation firewalls, which have the functionality of monitoring and managing applications.

No system to monitor and control access to network resources and data on cardholders

Some companies (3.5%) do not quite understand the principle of network security "Set it and Forget it." After the firewall is installed on the network, company employees forget about it and stop checking security reports, which is completely wrong. Many security policy violations can be easily blocked by checking security reports and logs on a regular basis.

PCI DSS compliance does not guarantee company intrusion protection

Verizon's end-of-2014 report on mobile and retail security and compliance with the Payment Card Industry Data Security Standard (PCI DSS) shows that many companies no longer meet these requirements upon completion of related projects. As a result, they have protection gaps that risk future data theft and loss, which could be prevented.

"Most customers still see compliance as a two to three-month project," said Rodolfi Simonetti, Verizon's director of regulatory compliance and management services. Where customers fail, he said, is to maintain compliance when projects are completed, because they do not continue to work with systems.

External Security Audit Projects (PCI DSS and SIS)

{{main 'External Security Audit Projects (PCI DSS and ECMS
)}}

PA-DSS - Payment Application Data Security Standard

Основная статья: PA-DSS

Notes