How to become PCI compliant and still be breached?

 What do I need to know PCI?

  • PCI DSS and PCI SSC:
    pci compliant

For the sake of minimizing this risk, there exists the Payment Card Industry Data Security Standard (PCI DSS). It is designed and set by the PCI Security Standards Council (PCI SSC). In a nutshell, it aims at securing online transactions to a great extent.

Credit card companies put these standards into action themselves. The standards compel every retailer to comply with a long checklist if they accept any means of online payments. This ensures that transactions operate in a completely safe environment. Such lists mainly strive to make sure that data and networks are highly secure.

  • Social Engineering:

    pci compliant

A computer security professional has to perform sorts of psychological manipulations on the suspects. This is to know who is responsible for the occurrence of an attack or another similar security incident.

Such terms get an extensive use when talking about information security in general. This is because someone in the organization could reveal confidential data. Those responsible for information security ought to detect and investigate such persons.

In a way or another, many consider this as a confidence trick. The rationale behind it at the end of the day varies from information gathering to fraud, or system access. It is often one of the many steps in a more complex fraud scheme. It is used for diverse social sciences, yet computer security is the main domain of it.

There are plenty of techniques one could utilize for the sake of performing a social engineering action. Instances of such methods are: pretexting, diversion theft, phishing, spear phishing, water holing, baiting, quid pro quo, tailgating, and many others.

  • SSL/TLS/IPsec

    pci compliant

To ensure secure transmission of data packets across a network, one can depend on three internet protocols. This is in order to make such data secure as much as possible while in transit. Internet Protocol Security (IPsec) is capable of performing mutual authentication between agents when the session begins. Transmission of cryptographic keys occurs during the session. This is either between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network) or between a security gateway and a host (network-to-host).

It is important to understand that IPsec works for the Internet Layer. Elsewhere, there are two other similar internet protocols operating in different upper layers. The Transport Layer Security (TLS) operates in the Transport Layer. On the other hand, Secure Shell (SSH) functions in the Application Layer.

An insight into the problem

While there are several organizations which claim their complete compliance with PCI DSS, many still suffer attacks by actual breaches. This leads to losing a lot of their money and investment. We have to dig into the grounds of this problem in order to be able to take accurate actions accordingly.

First of all, let’s discuss the reasons for such status

  1. One hundred percent security is impossible and is unachievable by any means. Although standards of PCI DSS are completely awesome and leading to much more secure online payment methods, they can never become the end or the ultimate goal of an organization.

There can never be perfect security for an organization. That is why banks still experience robberies up to date regardless of how secure they are. The only advantage of such standards lies in the fact that the number of successful robberies becomes much less, but it never vanishes.
pci compliant

  1. Several methods are undertaken to manipulate the controls which are compliant with PCI standards. This leads to a breach even when there is PCI compliance for the organization. The following points discuss the said methods:
    1. Imagine that a professional attacker freshly develops a malware. This attacker manages to get his malware through all the antivirus or anti-malware security systems inside the organization. This fact is pretty interesting. This is because such new malware usually has no signature to make it recognizable by an anti-malware software. Consequently, even while there is an antivirus running on the organization’s network or system, new malware could pass through without detection at the very beginning.
      pci compliant
    2. As it is known, a malware has just to find its way into the network and desired data could be collected in time. But how do you think the malware could get into the network in the first place? The answer is social engineering and spear phishing attack. This term refers to those emails which seem as if they are from a friend or someone inside an organization. However, the one who sent such emails was the same individual who attempts to attack the personal data such as passwords, credit card number, bank account numbers, and the financial information on your personal computer (PC). One way to perform such attack effectively is to send a link from a bunch of the organization’s email addresses to the addresses of other peers inside the same organization. Thereafter, when one simply clicks on the link on, the malware goes viral inside the network. That is why security training is highly recommendable to cut off the hazardous numbers of such attacks.
      pci compliant
    3. The problem here is that everything seems as if they are normal with no existence of a threat of such malware. Why is that? Fundamentally, when an attacker launches the malware that scans a network for open ports or other vulnerabilities, the scans are run in a very slow manner such that no heavy traffic generation occurs as a result of such scans. This fact leads to recognizing the traffic as if it is just normal. On the other hand, when a penetration tester attempts to scan a network vulnerability, high traffic generation occurs. It’s then detected as someone who tries to scan the network.  
      1. pci compliant
      2. Furthermore, the backdoor software utilized by an attacker depends on protocols such as SSL/TLS/IPsec. They depend on them to encrypt their transmissions on port numbers 80 or 443 which are both open for getting on the internet. Such encrypted packets are not usually recognizable as malware by antivirus software programs.

Try Certified Ethical Hacker for FREE!!!


Join the infosec family! Your journey starts here. The free tier gives you limited access to our training materials.  
Regular use
This is the second tier that includes limited access to our training materials and to our exclusive lab.    
Risky use
This third tier gives you all the luxuries of the Free use and more. You have access to self-paced classes.  
Monthly use
This last tier gives you the Free, Social and Problem use for just $89 a month. Plus you will save $29!!!

This post was written by Joseph McCray

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.