Category Archives: PCI DSS

The Worldwide Failure to Comply with Payment Security Standards

Payment security continues to decline worldwide, with almost two-thirds of organizations failing to meet and maintain compliance standards, according to a new report released by Verizon.

The 2019 Payment Security Report (PSR) measured worldwide compliance with the Payment Card Industry Data Security Standard (PCI DSS), and found a 36.7% decline. Verizon’s 2018 PSR showed 52.5% compliance. The Americas had the lowest compliance with just 20.5% meeting the global standard. 

“We see an increasing number of organizations unable to obtain and maintain the required compliance for PCI DSS, which has a direct impact on the security of their customers’ payment data,” said Rodolphe Simonetti, Global Managing Director for Security Consulting at Verizon.

PCI DSS was introduced by several major credit card companies in 2004 as an industry-wide standard for securing electronic payment data directing best practices regarding data storage and data transmission. While the standards for compliance vary according to an organization’s annual volume of credit card transactions, they generally require the following:

  • A secure network
  • Protection of cardholder data
  • A vulnerability management program
  • Access control measures
  • Regular network testing and monitoring
  • An information security policy

The decline in PCI compliance is a matter for concern as the frequency and cost of data breaches continue to rise. According to the 2019 PSR, not a single organization that experienced a breach was found to be fully compliant with PCI DSS.

“For years, we have discussed the close correlation between the lack of PCI DSS compliance and cyber breaches… Our data shows that we have never investigated a payment card security data breach for a PCI DSS compliant organization,” said Simonetti.

The post The Worldwide Failure to Comply with Payment Security Standards appeared first on Adam Levin.

The Comprehensive Compliance Guide (Get Assessment Templates)

Complying with cyber regulations forms a significant portion of the CISO's responsibility. Compliance is, in fact, one of the major drivers in the purchase and implementation of new security products. But regulations come in multiple different colors and shapes – some are tailored to a specific vertical, while others are industry-agnostic. Some bare explicit consequences for failing to comply

How to document PCI DSS-compliant policies and procedures – with template example

Technology can only do so much to protect an organisation from data breaches. That’s why Requirement 12 of the PCI DSS (Payment Card Industry Data Security Standard) instructs organisations to implement policies and procedures to help staff manage risks.

Employees introduce many risks into businesses that technology simply can’t prevent. Misconfigured databases, email attachments sent to the wrong person and records that are improperly disposed are common examples the ways staff compromise information.

These are the kinds of risks that a PCI DSS policy can help prevent.

What you should include in a PCI DSS policy

A PCI policy is a collection of written procedures and guides that state how an organisation manages its CDE (cardholder data environment). It should address:

  • Information security: This details the organisation’s security strategy in relation to the storage, processing and transmission of credit card data. It provides a detailed outline of information security responsibilities for all staff, contractors, partners and third parties that access the CDE.
  • Formal security awareness: This identifies the organisation’s responsibilities when implementing a PCI security awareness training programme intended for anyone who has access to the CDE. Staff should take this programme during their induction and repeat it at least once a year or whenever there is a security incident.
  • Incident response: This is a set of instructions for detecting, responding to and limiting the effects of an information security event. Without a plan in place, organisations might not detect an attack or fail to follow proper protocol to contain it and recover.

Fast-track your documentation process

Policies and procedures only work if they are regularly reviewed and updated to ensure they work as intended. This can be time-consuming and challenging, so we’ve created our PCI DSS Documentation Toolkit to simplify the job.

This toolkit includes all the template documents you need to ensure complete coverage of your PCI DSS requirements.

Below is an example of one of the customisable templates in our Documentation Toolkit:
Screenshot of one of our PCI DSS template documents

It contains all the information you need to ensure PCI DSS compliance; all you need to do is fill in the sections that are relevant to your organisation.

The toolkit also contains a document checker to help you select and edit the appropriate policy, so that you can create and amend documents as needs arise.

The toolkit supports all self-assessment questionnaires, regardless of your specific payment scenario. It’s fully aligned with the PCI DSS, so you can be sure that your policies are accurate and compliant with the Standard.

Find out more


A version of this blog was originally published on 13 November 2017.

The post How to document PCI DSS-compliant policies and procedures – with template example appeared first on IT Governance Blog.

Data Protection Laws & Compliance As Drivers of WAF Adoption

WAFs are among the most common security controls used by organizations in both the public and private sectors to protect their web applications against common web exploits.

Driven by the extensive growth in attack volume against web applications, the global WAF market size is expected to reach $6.89 billion by 2024. What else is driving this growth across industries?

Driver of WAF adoption

compliance waf firewall

In a research study by Computing, 62% of  IT decision makers surveyed across various industries stated regulatory compliance as their primary reason for purchasing a WAF.

With regulations introduced to protect consumer data safety, businesses and organizations are keen to adopt industry standards like PCI-DSS (Payment Card Industry Data Security Standard), given that the standard is a prerequisite for businesses who need to accept and process online credit card payments.

Other notable drivers of WAF adoption in the study found that: 

  • 46% of respondents find that inherent vulnerabilities to application layer attacks had enabled them to present a compelling business case for a WAF.
  • 23% were driven by penetration testing that alerted them to some serious vulnerabilities in their web applications. 
  • 18% stated that there was simply no other cost-effective way of securing legacy applications.

Role of WAF in data protection laws

 

In the 1990s, there were only 20 data privacy laws worldwide. Now, there are over 100.  In many cases, government regulations require the deployment of a WAF, either explicitly or implicitly. 

WAFs by their very nature are designed to protect an organization’s core assets (i.e. web applications) and maintain data integrity. That’s why countries with mature cybersecurity markets tend to have data protection or data privacy laws in place to address data security.

One of the most well-known government laws contributing to WAF adoption is the GDPR (General Data Protection Regulation), which is the EU’s answer to adhere to data protection and privacy for all its citizens.

However, not all countries have highly developed laws like the GDRP. Many countries have data protection laws that are too general and might not provide enough guidance to delegate any sort of accountability for companies that hold user data. In these cases, there is also no mention of deploying a WAF.

Saudi Arabia, for example, has privacy laws similar to those found in other countries but their laws simply address privacy and data collection with no mention of data security or clause to notify users of notification of data breaches. 

Why compliance and protecting customer data matter

Besides a desire to avoid any penalties or suspended privileges of their services, adhering to data protection laws and compliance industry standards also establish trust among data owners. 

By demonstrating a commitment to data protection through compliance, more users will be willing to engage with their services. If an organization does not uphold these standards, users will be less willing to just give up their personal information, and a company’s reputation may be on the line.

Therefore, it makes sense that any company that processes, manages, and stores personal data must engage in the proper security protocols to protect user data and notify users of any data breaches.

Though not all data privacy laws explicitly require WAF adoption, data protection can be achieved with its implementation. 

Take a look below at some of the laws around the world aimed at protecting user data.

Europe North America Latin America
EU: GDPR (General Data Protection Regulation) Canada: Personal Information Protection and Electronic Documents Act (PIPEDA) Brazil: Lei Geral de Proteção de Dados (LGPD)
UK: Data Protection Act 2018 US: Privacy Act of 1974 Family Educational Rights and Privacy Act (FERPA) Mexico: Federal Law on Protection of Personal Data Held by Individuals (LFPDPPP)
Sweden: Data Protection Act (DPA) Argentina: Personal Data Protection Act 2000 (Law No. 25,326)
France: French Data Protection Act 2 (FDPA)
Germany: Federal Data Protection Act 2017 (Bundesdatenschutzgesetz – BDSG)
Middle East Africa Asia-Pacific
Israel: Privacy Protection Law (5741-1981) South Africa: Protection of Personal Information Act 2013 (POPIA) Singapore: The Personal Data Protection Act 2012
Hong Kong: Personal Data Privacy Ordinance Cap 486 (PDPO)
Australia: Privacy Act of 1988 and Telecommunications Act 1997
Malaysia: Personal Data Protection Act (PDPA)

Is there a famous data privacy law we missed? Drop us a line!

The post Data Protection Laws & Compliance As Drivers of WAF Adoption appeared first on Cloudbric.

A Guide to PCI Compliance in the Cloud

In an age where hosting infrastructure in a cloud environment becomes more and more attractive – whether for maintenance, price, availability, or scalability – several service providers offer different PCI-DSS (Payment Card Industry – Data Security Standard) compliant solutions for their customers’ need to deal with payment cards.

Many companies believe that when choosing a business partner already certified in PCI-DSS, no further action is required since this environment has already been evaluated. However, while a PCI-DSS compliant provider brings more security and reliability, only its certification is not enough for the contractor’s environment to be certified as well.

All certified service providers must offer their customers an array of services and responsibilities, where they clearly define what each party needs to do to achieve PCI compliance in the environment. 

With this in mind, there are some important tips to take into account, mainly focusing on the first six PCI-DSS requirements, and also some important information for cloud service providers to take into account.

Requirement 1: Install and maintain a firewall configuration to protect the cardholder data

To protect cardholder data, you must implement and configure environmental targeting in accordance with PCI network requirements. It should be analyzed with tools the service provider offers to enable the contractor to achieve compliance. Some important services to consider:

  • Network Groups: A tool that will be used to perform the logical segmentation of the cloud-hosted environment. Traditionally, communications are blocked, and rules must be created to release access between instances.
  • Private Cloud: Should be used to isolate the provider’s networks in private networks, preventing the connection and access of other networks except those duly authorized by the targeting tool created in the same private cloud. This configuration facilitates the segmentation and logical management of accesses, reducing the exposure of the environment and card data.
  • Elastic Computing: It allows the creation of an instance that is scalable, that is, after it is identified that the processing reaches a parameter pre-defined by the user, creates another instance identical to the first. This process repeats itself as there is a need for more processing power. With the reduction of processing, the instances are then deactivated.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

In the case of SaaS (Software as a Service) cloud services, the need to apply secure configuration controls rests with the provider, assuming that the service provider identifies the service as part of its environment accordingly.

Using PaaS (Platform as a Service) or IaaS (Infrastructure as a Service), when the configuration of the instance is made by the contracted company, it is very important to create the procedure of hardening to be used and to ensure that it is properly applied in the instance before creating the rules that grant access to the other environments.

Requirement 3: Protect stored data from cardholder

Secure storage of card data is one of the priorities of the standard. Natively, cloud environments do not protect data, so the company acquiring the service must identify how it can make the data secure during the process, as well as assess whether the provider provides the necessary tools.

For card data encryption, key management is another crucial point, as important encryption of the data itself. The documentation and secure management of the data encryption keys (DEK) and key-encryption key (KEK) must be done by the contractor and can use the resources offered by the providers.

Requirement 4: Encrypt the cardholder data transmission on open public networks

The implementation of secure communication channels must be planned by the contractor, either through the acquisition of a secure communication service or even through the implementation of communication certificates. Always use robust PCI-DSS-based encryption protocols, such as TLS 1.2, IPSec, SFTP, etc.

Requirement 5: Use and regularly update anti-virus software or programs

Another common mistake is to consider that the implementation of antivirus is the responsibility of the service provider, or even believe that their systems are not susceptible to malicious software.

Cloud services do not include the provision of this type of software by default in all scenarios. This means that those seeking PCI-DSS certification need to identify how to implement and define the use of an antivirus solution, ensuring its installation, management, logging, and monitoring.

Requirement 6: Develop and maintain secure systems and applications

By confirming the certified service offered by the cloud provider (Saas) in the responsibility matrix, the contracting company does not need to take any additional actions related to the management of the structure that maintains that environment.

In the case of a certified service offered by the cloud provider, the contracting company confirming this in the contractor’s responsibilities matrix does not need to take any additional actions related to the management of the structure that maintains that environment.

However, when acquiring IaaS or PaaS services, it is important to enable vulnerability identification procedures, security updates, change management, and secure development.

Speaking specifically of public-facing web applications, PCI-DSS requires the manual or automated validation of all code developed for the application. A recommended alternative is the implementation of a Web Application Firewall, which can also be used as a service acquired from the marketplace of these companies or as an application to be contracted (e.g. AWS WAF, Azure WAF, Google Virtual Web Application Firewall).


Marty Puranik co-founded Atlantic.Net from his dorm room at the University of Florida in 1994. As CEO and President of Atlantic.Net, one of the first Internet Service Providers in America, Marty grew the company from a small ISP to a large regional player in the region, while observing America’s regulatory environment limit competition and increase prices on consumers. To keep pace with a changing industry, over the years he has led Atlantic.Net through the acquisition of 16 Internet companies, tripling the company’s revenues and establishing customer relationships in more than 100 countries. Providing cutting-edge cloud hosting before the mainstream did, Atlantic.Net has expanded to seven data centers in three countries, with a fourth pending.

The post A Guide to PCI Compliance in the Cloud appeared first on Cloudbric.