{"id":52377,"date":"2023-06-15T00:00:00","date_gmt":"2023-06-15T00:00:00","guid":{"rendered":"urn:uuid:2211fa80-1e5e-9ae6-a9c9-34cd81d3b9ce"},"modified":"2023-06-15T00:00:00","modified_gmt":"2023-06-15T00:00:00","slug":"use-pci-dss-checklist-with-automation","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/use-pci-dss-checklist-with-automation\/","title":{"rendered":"Use PCI DSS Checklist with Automation"},"content":{"rendered":"

<\/p>\n

<\/div>\n

If your application processes, stores, or has anything else to do with payment cards, add maintaining the Payment Card Industry Data Security Standard (PCI DSS)<\/a> compliance to your list. As we discussed in previous articles<\/a>, continuous compliance is critical to avoiding data breaches.<\/p>\n

This article will look at the key factors of PCI DSS, examples of related breaches, and what steps to take to satisfy the requirements so you can reap the benefits.<\/p>\n

What is PCI DSS?<\/span><\/p>\n

This set of security standards was established in 2004 by major credit card firms because, unsurprisingly, applications that process payments are highly attractive targets for hackers and malicious actors. In 2022<\/a>, payment card fraud losses totalled $32.34 billion worldwide, with the US claiming more than a third of the total amount. And with the sustained proliferation of online shopping and apps that ramped up during the pandemic, credit\/debit card fraud only continues to increase.<\/p>\n

The mission of PCI DSS is to secure credit and debit card transactions not only to curb losses for banks and the payment card industry, but to increase consumer trust and safety. This is achieved through a set of security controls<\/a><\/span> that protect confidentiality, integrity, and accuracy of the card data. This compliance standard applies to every organization that stores, processes, and transmits credit card data. Unlike NIST, which is a framework you are strongly encouraged but not obligated to follow, you absolutely must comply with PCI DSS.<\/p>\n

PCI DSS in action<\/span><\/p>\n

The first breach that may come to mind is the Capital One hack<\/a> that exposed 106 million credit card applications and led to a $80 million fine<\/a> from US regulators. Let\u2019s look at some other breaches and how they could\u2019ve been avoided by referencing the PCI DSS rules and goals.<\/p>\n

Hobby Lobby<\/span><\/p>\n

In early 2021, Hobby Lobby<\/a> was hacked. An independent researcher that uses the handle Boogeyman identified the breach. He discovered a publicly accessible database on Amazon Web Services (AWS) that contained sensitive information from over 300,000 Hobby Lobby customers. The database was 138GB in size and had customer names, addresses, phone numbers, and partial card details. Oddly in the same database was the source code for the company’s app, which is another issue altogether.<\/p>\n

The breach was the result of a misconfigured cloud database that was publicly accessible. This is a clear violation of PCI DSS rules #3, #7, and #9<\/a>, because the payment card data was being stored on an open server. Hobby Lobby also failed to comply with rule #10<\/a>, which states that access to cardholder data and relevant network resources must be tracked and monitored. This clearly wasn\u2019t happening, otherwise the misconfiguration would have been remediated and the entire ordeal ultimately avoided.<\/p>\n

Shein<\/span><\/p>\n

The retail giant was fined 1.9 million USD<\/a> in October 2022, when credit card information and personal details of customers were exposed and subsequently stolen and sold online. Reported as the \u201cmost popular fashion retailer in the world<\/a>\u201d, Shein\u2019s worldwide reach means that 39 million users were affected. Further controversy arose when its parent company, Zoetop, deliberately underreported the damage, placing the number of those exposed at just 6.42 million, as reported by the BBC.<\/p>\n

Shein\u2019s cover up left victimized account holders in the dark, as the majority were not contacted about the breach, with no requests for customers to reset passwords.<\/p>\n

Following an investigation by the New York Attorney General, Shein was criticized by a number of cybersecurity experts for its \u201creactive cybersecurity strategies<\/a>\u201d and failure to protect their customers. Shein was just one of many victims recently, as Macy\u2019s, Adidas, and Saks Fifth Avenue have come under fire for exposing users. Previous attacks on other major retailers should\u2019ve motivated Shein to run security audits and remediate any vulnerabilities as required by PCI DSS.<\/p>\n

Why this matters to you<\/span><\/p>\n

While everyone in the organization plays a part in security, compliance starts at the top with the CISO. Recognizing the difference between security and compliance, and then enacting specific defense model to satisfy both junctures, is key to meeting standards.<\/p>\n

Trend Micro has identified five PCI DSS compliance steps<\/a> to help CISOs protect confidential data.<\/p>\n

These four compliance levels are dependent on the annual number of credit\/debit card transactions processed. The classification determines what your organization needs to do in order to remain compliant:<\/p>\n