By Beth Hull, Marketing Executive at Acunetix
The new Payment Card Industry Data Security Standards (PCI DSS) v3.0 standard came into effect in January this year to tighten up web security, which means allmerchants are regularly using a vulnerability scanner for web apps and have the most up to date web application firewall in place. Or have they?
In today’s modern digital world data breaches and attacks are increasingly common, driven by the sky-high potential fraudulent gains.Often highly publicised, such attacks regularly occur in the Government or commercial sectors, with the most recent high profile victimbeing Sony Pictures.
Worldwide e-commerce sales now exceed $1.3 trillion and are continuing to rise. This sensitive data is transmitted and stored online, which if stolen by cyber criminals, results in immense financial repercussions for both traders and consumers. The FBI was recently quoted as saying that 519 million financial records in the United States had been stolen in a 12 month period between 2013 and 2014.
But it’s difficult for CIOs/CSOs to stay on top of security concerns, especially as they are always playing catch-up with online hackers. PCI Compliance is designed to help. Itis a structured security checklist which aims to secure financial data and helps to distinguish the secure and reliable businesses from the risky ones.The aim of the new standardis to better secure both the merchant and customer data.
PCI v3.0 – what the changes mean
If your organisation processes card transactions, either directly or through a third party provider, then the PCI compliance changes affect you. Severe penalties may be imposed on businesses which suffer a security breach as a result of lack of compliance with the PCI standard. The themes of the changes are categorised as: education and awareness; increased flexibility; and security as a shared responsibility.
One of the most serious threats to data security is cyber attacks to web-facing servers, and this is an element of the requirements which is regularly updated to identify the most common methods of attack.
Requirement 6, which deals with web application security, outlines the most common vulnerabilities and impresses the importance of regular security checks, such as using a vulnerability scanner. The most salient element is 6.6:
‘For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
- Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes
- Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic.’
While the document states ‘either of the following methods’, industry best practice would in fact be to employ both methods, regular security assessment tools, such as the use of a vulnerability scanner, and the installation of a web application firewall.
A good web application vulnerability scanner, such as Acunetix, is regularly updated to detect newly discovered vulnerabilities, for example ShellShock. You can also set the scanner to run regular automatic checks, ensuring your web application continues to be free of vulnerabilities at all times.
The Compliance Regulations
The PCI compliance specification describes a set of requirements which participating businesses must observe to ensure that correct measures are taken to secure all data:
- Build and Maintain a Secure Network and Systems
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
Protecting the Consumer
Consumers who use credit/debit cards for online purchases risk suffering financial losses when businesses process their transactions through insecure systems. The number of cases involving the theft of credit card details from exploited web applications is constantly on the rise. Identity theft is another massive problem. Some sources claim that as many as 15 million US residents have their identities used fraudulently each year with financial losses totalling upwards of $50 billion.
With such data breaches, the pressure on traders to keep customer data safe is at an all-time high. The PCI compliance standard aims to prevent financial data and identity theft from its source by ensuring the systems which process and store customer details and transaction information are fully secure.
PCI compliance is implemented in both the technological and administrative side of the business process. A solid guideline must be implemented when it comes to company employees handling customer data and processing transactions, particularly as many systems are actually compromised from the inside. Businesses must also keep track of any changes made to the technical or business process, to ensure that each change is followed by the relevant security counter-measure. Technical failures must be considered, and timely encrypted backups of all sensitive data must be performed.
Security Assessment Tools
The PCI Compliance specification is more than just a set of rules by which organizations must abide. It is also a guideline which provides a method to trace and secure all the potential security flaws which might be exploited. Detecting these potential exploits is made easier by using tools such as web vulnerability scanners and network scanners.
A web vulnerability scanner is a software product which performs an in-depth assessment of a web application or web service. It detects all the security flaws which may be exploited by a hacker whose intention is to gain access to web servers, internal networks, and back-end databases. However a common mistake is to forget that if a website is made publicly available then it also provides an entry point which is open 24/7. Vulnerability scanners assist developers and security professionals such as penetration testers in identifying these possible entry points and securing the web application to prevent exploits.
PCI compliant merchants can benefit from a standardized approach to secure their online systems, and also to prove their reliability to consumers – but they must keep up to date with new standards.PCI v3.0 is focusedon best practice for organisations, and views security as an ongoing responsibility. The most important thing is to ultimately lead to a security-minded way of doing things, with proactive processes and helping merchants adopt a framework of ‘Continuous Security’.
Penetration testers, CSOs and auditors can all benefit from the use of avulnerability scanner to identify weaknesses in web applications, and also guide them to resolving any potential exploits. It can also be used for checking perimeter servers and running regular scans between audits to quickly identify and address any new vulnerabilities.