Today, ransomware is a multibillion-dollar business. So far, it has devastated a number of industries. The continued availability of weak security mechanisms and antiquated operating systems made these assaults and others like them possible. Malicious actors are likely to continue to attack a range of businesses with ransomware in the future. They'll almost certainly target individual companies' POS systems, as EMV chip cards have made data harvesting practically difficult.
Fortunately, by adhering to the PCI DSS, organisations can help protect cardholder environments from ransomware and other digital threats. PCI DSS was created by the PCI Security Standards Council to assist organisations in protecting cardholder data, with which, card issuers and banks are held less liable in the event of a data breach at a merchant.
PCI DSS Version 4.0
There is little information available about the new PCI DSS. By Q1-2022, the PCI Security Standards Council expects to complete version 4.0. However, we do know a few of the new standard's objectives. These include the following:
- As technologies and solutions evolve, the revised standard will continue to meet industry needs.
- PCI DSS v4.0 will aim to increase flexibility and compatibility with alternative security methodologies. (Historically, the standard has been high. It introduced file integrity monitoring (FIM) and vulnerability management (VM) in the past.)
- PCI DSS v4.0 will emphasise security as a continuous process, allowing organisations covered by the standard to maintain compliance over time.
- Finally, PCI DSS v4.0 will enhance validation methods and procedures to assist organisations in adhering to the standard.
Following completion of PCI DSS v4.0, organisations will have an extended transition period to update to the standard's latest version. PCI DSS v3.2.1 will remain in effect for 18 months following the release of v4.0. This enables organisations to become acquainted with the standard, its supporting documents, and any other updates. Organizations must complete their update plans by Q1 2022, the anticipated release date of v4.0.
Several Points to Consider
This transition period may exacerbate some of the PCI DSS compliance challenges. To begin, configuration drift is a cause for concern. To maintain the desired state of systems in cardholder environments, organisations must have a goal in mind.
Second, organisations are required to demonstrate compliance to auditors. The duration of an audit varies according to the assets, tests, and controls. (After all, organisations must demonstrate compliance using historical data.) Organizations may not audit all systems, depending on their resources and cardholder data environments. This decision may allow for the continued undetection of specific digital threats.
Finally, organisations may elect to invest in PCI DSS compliance but not in security strengthening. PCI DSS requires log management, FIM, and VM capabilities, but implementing each security function separately can be costly. Even then, the functionality may be limited to a "checkbox" function. Their FIM solution may alert to changes but provide no context, whereas their VM solution may perform routine scans and identify vulnerabilities but provide no guidance or hold organisations accountable for addressing them.
How can we help?
Extreme Compute can assist firms in preparing for PCI DSS v4.0 compliance. We are capable of assisting enterprises in demonstrating compliance with not only PCI DSS but also other important standards such as CIS, ISO 27001, and many others. This is accomplished through the provision of pre-built audit report templates and automatic compliance reporting. This enables Extreme Compute to connect to all assets in scope, test them, and determine if they pass or fail a compliance test, saving enterprises the time they would have spent auditing everything manually.