A deadline is rapidly approaching for every organization and business that stores, processes, or transmits cardholder data – affecting a wide range of businesses and organizations that including retail merchants, banks, insurance agents, payment gateways, airlines, and transport service providers.
By March 31, 2024, the current version 3.2.1 of the Payment Card Industry Data Security Standard (PCI DSS) will expire, and the new 4.0 version must be implemented. It is the largest change to the standard since 2004, including updates to existing requirements and not least 64 brand-new ones.
We explore the future of Southeast Asia’s digital economy
Given that the cyber security threat landscape continues to evolve and expand year after year – a fact that can be studied in detail in Verizon’s annual Data Breach Investigations Report (DBIR) – not many businesses should or would want to risk having their customer’s, client’s or partner’s payment card data being compromised because of not being compliant to security standards that should be taken for granted. You don’t have to look long to find examples on the kind of severe negative impact a breach of card data can have on a company’s profitability, not to mention brand reputation. Incidents analyzed for Asia Pacific (APAC) are giving the following information:
Basic Web Application Attacks and Social Engineering continue to be persistent threats for APAC, according to Verizon’s Data Breach Investigations Report. In this region, we see the well-known trifecta of Hacking (58%), Social (48%), and Malware (36%) taking centre stage. The majority of attacks were perpetrated by attackers with Financial motives (81%). The predominant Hacking action was ‘use of stolen credentials’ (83%) being mostly used to compromise a web application (60%). The social attacks in this region accounted for approximately twice the number we saw in other regions, and consisted almost exclusively of Phishing (99%). There were also a substantial number of defacement attacks in this region in 2022 (over 2,800), which pushed the attribute of “Integrity” up to 75% of incidents – a number higher than in other areas of the world.
With this, some of the new controls in PCI DSS 4.0 have become timelier and more relevant in APAC. These are of course to be implemented in conjunction with the rest of the controls in the standard:
- PCI Requirement 6.4.2 (WAF) – Automated Technical Solutions such as a Web Application Firewall (WAF) become a mandatory deployment (instead of optional) to protect public-facing web applications against web-based attacks.
- PCI Requirement 6.4.3 (Payment Page Integrity) – mechanisms such as Sub-Resource Integrity (SRI) or Content Security Policy (CSP) are to be enforced to ensure the integrity of payment page scripts.
- PCI Requirement 11.6.1 (Tamper-Detection) – change and tamper-detection mechanism must be deployed to alert personnel to unauthorized modification to the HTTP headers and the contents of payment pages as received by the consumer browser.
- PCI Requirement 5.4.1 (Phishing Attacks) – Processes and automated mechanisms are in place to detect and protect personnel against phishing attacks.
All these controls are current best practices until 31 March 2024 but will be mandatory from April 2025.
While there are new controls that will be mandatory, our Verizon QSAs (Qualified Security Assessors) in APAC still detect basic issues during our initial assessment. Some of these are as follows:
- Maintaining a Scope Confirmation Process. New data flows are uncovered as part of the interviews which have not been identified by the customer. Usually, limited to no controls have been implemented on the newly explored data flows. The unavailability of appropriate controls is more common when CHD is stored, processed, or transferred outside structured systems and applications and ends up on extracted reports or files.
- Managing Interval-based Controls (ex. Quarterly Scans). Clients have the assumption of compliance as long as the scan is performed at any date within the quarter despite not maintaining the correct 90-day interval for passing results. Very similar outcomes to other periodic controls such as penetration test (annual) and firewall rules review (semi-annual).
- Managing Security Patches and End-of-Support Technologies. It has been identified on several occasions that organizations do not adhere to the timelines for patching vulnerabilities, especially for critical and high vulnerabilities. There tend to be lots of systems where the security patches or updates haven’t happened in more than a year. End-of-life or end-of-support software is also in use without an upgrade or service extension plan.
- Managing Third Party Compliance. It’s very difficult to manage and control third-party vendors’ PCI compliance, and sometimes it is even more difficult to terminate and replace those vendors for non-compliance.
- Roles & Responsibilities – Each staff has their original daily operation job outside of PCI DSS with no capacity to implement or maintain actual PCI DSS responsibilities.
Complexity can be vastly reduced
However, for many, designing a payment security management program can seem as complex as trying to solve a mechanical three-dimensional (3D) combination puzzle. Each move affects the rest of the design and overall system. At the same time, while some struggle to solve the puzzle’s quintillions of options, others solve it within a few seconds.
The difference has to do with approach and methodology. You can spend endless hours with trial-and-error and spinning the puzzle’s cubes until you, perhaps, find a solution that meets your needs. Or you can use a reliable, logical method to cut time, effort and cost and quickly solve the problem with the best possible results.
Similarly, Payment Card Industry (PCI) security programs require the alignment of multiple elements. But this complexity can be vastly reduced with a sound program design—the application of a method to apply the correct sequence of steps—and by understanding the cause-and-effect relationships between moves.
Recognizing a successful PCI security program
For many organizations, a large part of the journey in PCI security and compliance is about moving from a disjointed set of activities and policies to creating a formalized program. Too often, security programs are developed in an ad hoc manner—in a reactive mode with little advanced planning and with an outcome that seems inevitable: a drop in compliance, reduced control effectiveness and increased risk of a breach.
That is why project design strategy and management are fundamental for obtaining PCI security success. In short, a successful PCI security program is recognized by the following outcomes:
- An effective program: Get the right work done with evidence of assurance that its control environment and key controls are effective in meeting the intent of all control objectives.
- Efficiently executed: Produce economical program results, executed in a better manner with minimum waste of resources.
- Strategically aligned: Program design and execution are neither tactical nor reactive and are strategically aligned to support the overall business strategy.
- Sustainable performance: Compliance management is a marathon, not a sprint. It requires sustainable life cycle management of the controls and the environment.
- Ongoing maturity improvement: Program processes must continually progress toward higher process capability maturity.
Avoid common mistakes and think long-term
The design and management require an integrated perspective which means end-to-end visibility of the primary building blocks and critical inputs and outputs of the program. This is also a critical success factor for the program to be effective and sustainable.
When designing the security management programs for your organization, you should avoid the common mistakes listed below, taken from the 2023 Payment Security Report insights which we published recently. And remember, that PCI security management programs are not temporary endeavours. Compliance with PCI security regulation is a long-term business concern that requires strategic planning to develop the capability to sustain ongoing compliance operations for many years.
- Neglecting to secure early stakeholder buy-in when establishing the compliance program.
- Failing to identify goals and desired outcomes (including building in sustainability and effectiveness of the control environment)
- Setting up a project instead of a program; focusing on project rather than program outcomes
- Underestimating the comprehensive nature and complexity of a security program, thereby not securing the capabilities needed for ongoing program support.
- Failing to establish clear program objectives, focusing on compliance and not on effective data protection.
- Neglecting to build sustainable processes.
- Maintaining organizational silos—hampering communication, performance, and sustainability
- Focusing on technology; undervaluing processes and procedures
- Forgetting, underinvesting, rushing—inadequate organizational competency development
- Falling short on training and educational efforts
The article titled “10 mistakes to avoid when managing payment security” was authored by Ferdinand Delos Santos & Rokon Zaman – Leaders of Verizon Cyber Security Consulting – Payment Security Programs in APAC
About the authors
Ferdinand Delos Santos, Associate Director, Cyber Security Consulting at Verizon Business Group
Ferdinand Delos Santos (Ferdie) is a seasoned industry and business leader in the field of IT & Information Security. He is currently serving as Associate Director & a member of the leadership team for Security Consulting in Singapore and Asia Pacific at Verizon Business Group.
Ferdie is responsible for the business and portfolio management of security professional services in Singapore and Asia including Security Governance, Risk & Compliance Management Programs working for several top global enterprises, critical
infrastructure services and government organizations in the region.
Ferdie also serves as the Asia Pacific Leader of Verizon Payment Security Programs which helps financial & payment industries strengthen the overall cybersecurity ecosystem through compliance to regulatory standards such as PCI DSS, SWIFT, Card Brand (Visa & MasterCard) and Central Bank regulations.
Ferdie is a cybersecurity advisory mentor and have assisted the growth and career developments of security practitioners in Singapore and the region. He possesses several internationally recognized certifications such as PCI QSA, CISA and ISO 27001 Implementer. Ferdie has a proven track record in successfully defining cyber security management programs, large projects, leading people and managing consulting business as a delivery, people and revenue manager.
Sk Mohammad (Rokon) Rokonuzzaman, Associate Director, Cyber Security Consulting, Verizon Business Group
Rokon is an Associate Director of the Cyber Security Consulting Practice for Verizon Business Group in Australia. Rokon has over 15 years’ experience in Cyber Security advisory and assessment services across Financial Services, Commercial and Public sectors. Rokon is currently responsible for the delivery and management of cyber security consulting engagements in the ANZ region.
As a Security Leader, Rokon has provided leadership and management oversight to Security Professionals responsible
for the delivery of cybersecurity consulting engagements. These projects assist organisations establish, improve maturity and maintain their security programs, and also ensures adherence to security industry best practices and local security and regulatory/compliance frameworks.
Rokon has a Bachelors in Computer Science and Engineering from BUET and a PhD in Computer Science and Information Technology from Monash University, Australia.