Many companies have implemented work-from-home policies, which challenge how PCI DSS compliance has been traditionally managed.
The Payment Card Industry Data Security Standard (PCI DSS) is a standard established by the leading payment card issuers. The PCI DSS provides guidelines for securely processing, storing or transmitting payment card data. It aims to protect organizations and their customers against payment card fraud and is made up of 12 requirements or control objectives that comprehensively protect the payments ecosystem. This standard has been around since 2006; providing organizations with a framework they can use to implement, maintain and measure the strength of their cardholder data environment. Then the lockdown happened, forcing organizations across the globe to allow employees to work remotely.
Today more and more organizations are operating remotely and allowing employees to work from home. This has presented a bigger risk for many organizations who process, store or transmit payment card data. Achieving and maintaining compliance with PCI DSS has become increasingly challenging and yet; more important than ever. This paper introduces Zero Trust Principles and encourages organizations to adopt these principles across all 12 requirements of the PCI DSS.
What are Zero Trust Principles?
Zero Trust Principles suggest that an organization should consider itself at risk from attackers within both its internal and external network and implement stringent controls for complete security. These principles enforce the idea that no machine or user within the organization’s network should be automatically trusted; therefore, organizations must examine their access controls and adopt least-privilege controls across all processes.
Here are the 12 requirements of the PCI DSS applied to Zero Trust Principles:
Requirement 1 – Building and maintaining a secure network.
It is necessary to implement personal firewall software on every single device that employees have access to – including their personal devices. Additionally, they must use only required access control rules on their personal firewall. It is also vital to ensure that employees do not have the ability to modify or disable the firewall software.
Requirement 2 – Configuration Scans
In addition to maintaining an up-to-date inventory of workstations, organizations system configuration standards are also enforced on working from home user’s workstations.
Requirement 3 – Protecting Stored Cardholder Data
With many employees now working remotely, the frequency of card data discovery scanning must be increased. There must be a clear process for running automated scans, removing any sensitive data found and reducing risk and exposure of full card numbers.
Requirement 4 – Protecting Cardholder Data In Transmission
In addition to using encrypted VPN connection, remote employees must only access the internet using HTTPS (TLS v1.2). The use of unofficial email and messaging of cardholder data must also be strictly prohibited.
Requirement 5 – Antivirus and Malware
This goes without saying; an antivirus solution that cannot be disabled and is regularly updated must be installed on all systems.
Requirement 6 – Securing Applications
Clear segregation and regular patch management is needed here– development workstations should not be able to access remote productions environments.
Requirement 7: Access Control
Unless an employee is a recognized power user; access to any systems within the cardholder data environment must be prohibited. Access should be on a need-to-know basis along with least privileges access.
Requirement 8: User IDs
Without exception, all remote workers must use two factor authentication to connect to cardholder data environment.
Requirement 9: Physical Security
With employees working form home, organizations must ensure full cardholder data cannot be viewed, printed or downloaded. The review of data centers may now need to be completed using time stamped cameras and CCTV.
Requirement 10: Logging and Monitoring
All activities done on remote employees’ workstations must be logged and frequently synchronizing with designated servers.
Requirement 11: Vulnerability Management
Internal vulnerability scanning and penetration testing that emulates working from home user scenarios must be performed.
Requirement 12: Policies and Procedures
It is more important than ever to communicate the risk introduced by having employees work from home. Information Security training and awareness must be provided to ensure security and compliance goals are a business as usual consideration across the entire organization.
The above list provides solutions for addressing each of the PCI DSS requirements using zero trust principles. However, managing security is still no easy task. Wherever possible, organizations must use technology to automate processes, increase accuracy and reduce risk.
There are 3 key areas that an organization may simplify their PCI DSS compliance management using technology to implement zero trust principles:
1. Automation – By automating remote scanning, testing and evidence collection, organizations can save time and reduce risk while employees are working from home.
2. The use of CCTV and cameras – this provides a mechanism to enable remote assessments and PCI DSS certification.
3. Make PCI DSS Compliance Business as Usual – Organizations must develop, implement and maintain a continuous compliance program that includes more frequent reviews and scans across the entire network.
Book a FREE 30 minute Consultation to discuss your environment.