What do I need to know about PCI DSS?
- PCI DSS and PCI SSC:
For the sake of minimizing this risk, there exists the Payment Card Industry Data Security Standard (PCI DSS). It is designed and set by the PCI Security Standards Council (PCI SSC). In a nutshell, it aims at securing online transactions to a great extent.
Credit card companies put these standards into action themselves. The standards compel every retailer to comply with a long checklist if they accept any means of online payments. This ensures that transactions operate in a completely safe environment. Such lists mainly strive to make sure that data and networks are highly secure.
Spear phishing is mainly a type of attack underlined by the art of social engineering. In this type of phishing, few end users receive customized emails. This is in an attempt to get their private information in a fraudulent manner.
A philosophical question now to ask is this. If spear phishing describes the previously explained behavior; What is then the difference between normal phishing and spear phishing?
Whereas phishing targets a large group of people to send emails to them with no prior research expecting that a few number of people will send a response, spear phishing targets a specific group of people to send them customized emails. This occurs after concise research on such a group of people. They are targeted with the correct message which they are expected to respond positively and get tricked subsequently.
Phishing attacks reach a great number of people. However, they receive a very small success rate from the number of links their links receive. Nevertheless, spear phishing attacks do not have that large number of target group but around half of such group click on the sent links or open the attachments.
Whenever sensitive data is dealt with, tokenization has to be mentioned. This is in order to ensure that such data is secured to a great extent. Fundamentally, such valuable information gets replaced with a token number which is of no actual use except for merely this process. A token number is a number which makes no sense for an attacker or even for whoever uses it. It gets mapped back to its valuable specific piece of information associated with it.
In this process, the need for a tokenization system is a must, where such tokens could be requested, generated, and detokenized back to get the data. Therefore, such data becomes secured to the maximum using this method. Yet, there is still one aspect which should be cared about; it is the security of the tokenization system in the first place. Such system has to get secured following best security practices such as standards of sensitive data protection, secure storage, audit, authentication, and authorization.
It is important to understand the concept of a jump server when talking about network and security and securing the data flow within it. Devices in a separate security zone could be managed through such jump server. One of the most commonly used example for such concept is the demilitarized zone (DMZ). It could be managed by trusted networks or computers through a jump server.
A jump server has to have specific administrators who have authorized credentials on it for the sake of gaining access to DMZ for instance. All other requested access attempts from non-authorized users have to get logged for later audit. This server could work as single audit point for traffic, securing the data inside DMZ to the maximum.
How to apply additional security measurements besides PCI DSS?
- The potential of being breached at any instant of time should be recognized by an organization’s administration in the first place. Security standards could be set very high and they could be followed very strictly. Whereas still, any security incident could still occur. Well, what is the benefit of security controls then? They are mainly meant to get the number of such incidents as much minimal as possible. In addition, such controls make the probability of obtaining sensitive data very low. How is that? Imagine that an organization was breached, such controls shall play a great role in identifying a risk or an attack before an attacker gets his desired information from the network.
- Highly sensitive data should no longer be saved or stored in the system. This is because as long as they are there, there is always a vulnerability in the system which could be exploited to get such valuable information. On the other hand, if an organization or a merchant is obliged to get such data saved. Then, tokenization is the perfect solution for this case, in order for not saving data on the system.
- Get any sensitive data isolated inside the network or the organization’s system. In this regard, approaches like of the model of Forrester’s “Zero Trust” or McGladrey Ultra Secure could be followed. This is in order to ensure a very high level of security on sensitive data.
- Another interesting solution is to minimize the number of authorized accesses to sensitive data. Accordingly, whenever an incident happens to occur, there should be a small focus group on which social engineering could be applied by information security responsible persons.
- A “jump box” or a “jump server” should be made use of in order to force users to log into such server first of all before getting any access to sensitive data. The cardholder data environment shall be restricted to those who have the capability to correctly log into the jump box. This could be further coupled through using different credentials required for the sake of gaining access to such data. All activity performed on the jump box could be also captured by adding in full instrumentation of the jump box. Subsequently, the jump box could be monitored for any suspicious accesses.
- Internet Protocol (IP) addresses should be limited to the people inside an organization. While all traffic using HTTP or HTTPS should still be open for all the business’ use to satisfy their needs, they cannot be though unrestricted to access any desired IP address or URL. The solution for this is to apply proper white or black list IP addresses. Accordingly, an attacker will not simply work from any IP address or URL to play around with the network.