Reaching PCI Nirvana: Successful Audits and Continuous Compliance

All enterprises are subject to a growing range of legal and regulatory frameworks. Achieving – and, crucially, maintaining – compliance with these frameworks is a critical part of overall risk management.

PCI-DSS is one of the best-known regulatory frameworks, applicable to any organization that handles payment-card data. With an update to the standard coming into force from January 1st 2019, all organizations subject to PCI should be considering their current position to ensure they are compliant with the new version.

AlgoSec CTO, Professor Avishai Wool, recently hosted a technical webinar to recap the features of the latest update to the PCI standard. He provided guidance on how organizations can easily achieve and maintain compliance ahead of their next audit. Here’s a summary of the key takeaways from the webinar.

PCI DSS 3.2.1: The History

As many will be aware, when connecting to a website using https, the connection is secured using encryption. The cryptography underpinning that encryption uses Transport Layer Security (TLS) or its predecessor, Secure Socket Layer (SSL). There are multiple versions of each.

Back in 2014 and 2015, a run of sophisticated cyberattacks targeted SSL 2.0 and 3.0, and TLS 1.0, including the well-known HEARTBLEED, FREAK and POODLE attacks. As a result, the industry consensus was that these versions were essentially broken beyond repair and could no longer be relied upon for serious, enterprise-grade security. When PCI-DSS Version 3.1 was announced in 2015, it stated that SSL and early TLS could no longer be considered ‘strong’ cryptography, and could not be used as compliant security controls beyond April 2016. Organizations had to switch to newer versions.

As of 2016, all major web browsers supported TLS 1.2, implying that switching to this newer, more secure version should be easy. However, it’s not that simple. TLS is not used by only web servers and browsers. Machine-to-machine API communications, web-page scraping utilities, automatic testing platforms, email servers and clients, and embedded web-servers inside devices may all use TLS, too. All of these need to be upgraded to achieve PCI-DSS compliance. The bottom line is that upgrading to TLS 1.2 requires a substantial amount of testing and time.

The PCI DSS Council realized this, and so introduced PCI-DSS version 3.2 in 2016, to extend the TLS 1.2 migration period. PCI-DSS 3.2.1 was announced in May of this year with additional minor updates. This version will be definitive from 1 January 2019, and makes TLS 1.2 mandatory. As a result, all organizations within the scope of PCI-DSS need to ensure that they are using at least TLS 1.2 throughout their infrastructure by the beginning of next year. They must be able to demonstrate this to PCI auditors.

The Audit Challenge

Unfortunately, manual PCI-DSS audits can be costly and complicated. They slow down business operations and are error-prone. As with all compliance, the best practice for PCI-DSS is not one-off but to achieve continuous compliance. That is, you should be able to monitor compliance throughout the lifecycle of each and every application on your estate, from discovery and definition, through migration and deployment, to ongoing maintenance and eventual decommissioning.

Achieving Compliance Now and Forever

This is where AlgoSec’s Security Policy Risk Mitigation and Continuous Compliance and Auditing solutions come in. The solutions review all of the capabilities automatically, all of the time, and are available for readings whenever you need them. The overarching view of PCI-DSS compliance, across your entire estate, is available at the click of a button.

For example, our Security Management suite gives a view of high-level security across all firewalls and other security devices along with an overarching score provided for each device in terms of its PCI-DSS compliance. You can filter out the newest and latest version of PCI-DSS in your reporting, giving an auditor an instant view of your progress against the new framework.

However, you do not need to work on a device-by-device basis if you don’t want to. The PCI-DSS framework contains multiple different requirements. Our system categorizes all of your devices against the PCI-DSS requirements that they are subject to, giving you—and auditors—an immediate picture of your performance.

Automatically Identifying TLS 1.2 Upgrade Requirements

AlgoSec can tell you how compliant with PCI-DSS each application is, building up a highly detailed and granular picture of overall compliance. There may be dozens, hundreds or even thousands of individual web servers hidden within devices in your infrastructure. For compliance, each needs to be upgraded to TLS 1.2. With AlgoSec and an integrated vulnerability solution, you can identify those applications that are connected to and from the declared PCI zone and devise your upgrade plan.

Other information contained within AlgoSec’s compliance reports include data on how up-to-date your software versions are, highlighting those which are no longer under technical support from their vendors and are therefore out of PCI-DSS compliance. We also help you to control the change processes on security devices, providing an application-aware workflow system for network security change management. Use this and it becomes part of your overall PCI-DSS audit process.

Compliance in the Cloud

It’s also important to remember that credit- and debit-card processing systems running in the cloud are subject to PCI-DSS requirements, just like on-premise systems. Here, AlgoSec provides capabilities across multi-cloud, hybrid, public, private and legacy cloud environments, supporting your audit requirements with exactly the same reporting systems as for your on-premise environment.

Continuous Compliance at the Click of a Button

Achieving and maintaining PCI-DSS 3.2 compliance, then, is made much easier by building a strategy of continuous compliance into your network change processes. AlgoSec can support you in this by giving visibility across your entire infrastructure, with a view that is organized around each individual requirement within PCI-DSS.

For detailed guidance on how automation can help you pass your next PCI security audit with flying colors, watch the full webinar with Professor Wool.