Back in 2004, the Financial giants Visa, American Express, Discover Financial Services, and JCB International together with the Security Standard Council formed the PCI DSS (Payment Card Industry Data Security Standard). The PCI DSS is a set of security standards including 12 requirements for protecting cardholder data and maintaining a safe and secure payment ecosystem.
who should comply with the pci dss?
Any entity that is subject to the PCI security standard must be compliant and moreover, must ensure that the compliance is still valid according to the updated protocols on a yearly basis. PCI security applies to any company globally storing information, processing, or transmitting cardholder data from small start-ups to international organizations.
pci dss compliance is not enough
Despite substantial investments made in securing their networks, organizations are realizing that PCI security compliance alone does not guarantee protection against advanced cyberattacks.
The myriad of successful cyber attacks against financial institutions in the past year is a testament to this simple truth. Many of these attacks were caused by attackers exploiting weak points in these organizations’ network perimeters that were left exposed and unmanaged - weak points which the PCI DSS’s requirements don't cover.
Achieving PCI compliance as well as a good security posture must begin by obtaining comprehensive and ongoing visibility of your external attack surface, related risks, and threats.
How Reposify’s capabilities map to the PCI DSS requirements for PCI compliance
Reposify’s external attack surface management platform delivers autonomous, 24/7 discovery of internet exposed assets across all environments and the supply chain. Automating the discovery, inventory, classification, risk analysis, and scoring allows you to streamline the risk assessment process and ensure you are well-informed for the purpose of PCI DSS compliance.
When it comes to your internet-facing assets, Reposify’s platform significantly enhances your security posture and goes beyond the PCI DSS requirements. Not only it helps you to eliminate vulnerabilities within your known networks but also discovers and helps you eliminate risks resulting from your unknown connected assets that exist outside of your known network ranges.
Here is how Reposify’s capabilities help support the PCI security standard’s technical and operational requirements:
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
PCI Security Requirement: 1.1.4.c Observe network configurations to verify that a firewall is in place at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone, per the documented configuration standards and network diagrams.
How we help: Through Reposify’s integration with Palo Alto Networks' Cortex, the system automatically identifies your internet exposed assets that are not behind a firewall and sends you an alert.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
PCI Security Requirement: 2.2.1 Implement only one primary function per server to prevent functions that require different security levels from coexisting on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.)
How we help: In cases that there is more than one service on any given asset (server) Reposify will identify all of the exposed services, automatically analyze them for security issues and alert you.
PCI Security Requirement: 2.2.2 Enable only necessary services, protocols, daemons, etc., as required for the function of the system.
How we help: Reposify continuously identifies the services and protocols that are exposed to the web in real-time. Users can easily set up alerts to notify them when an unnecessary service or protocol is enabled.
Requirement 6: Develop and maintain secure systems and applications
PCI Security Requirement: 6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities.
How we help: Reposify’s external attack surface management platform autonomously discovers and monitors your entire internet-facing asset inventory and analyzes every asset for a range of security issues including CVEs, cryptographic issues, misconfigurations among others. Every asset is assigned with a risk score. An action plan with remediation guidance is automatically generated.
PCI Security Requirement: 6.4.1.b Examine access control settings to verify that access controls are in place to enforce separation between the development/test environments and the production environment(s).
How we help: The platform identifies production and test environments that are exposed to the web and whether they are within the same IP address space or not. If they are, the system can send an alert on such issues in real-time.
PCI Security Requirement: 6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
- Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes
- Installing an automated technical solution that detects and prevents web-based attacks.
How we help: Reposify’s platform autonomously discovers, and monitors unknown risks and helps you prevent web-based attacks in real-time. Reposify goes beyond publicly registered IPs and domain data which rely mainly on DNS and WHOIS and discovers all your unknown internet-facing assets no matter where they are located. Your external attack surface is continuously monitored so you can always stay up to date.
Requirement 8: Identify and authenticate access to system components
PCI Security Requirement: 8.7 All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted as follows:
- All user access to, user queries, and user actions on databases are through programmatic methods.
- Only database administrators have the ability to directly access or query databases.
- Application IDs for database applications can only be used by the applications (and not by individual users or other non-application processes).
How we help: The platform identifies assets (databases, files server, login pages, etc.) that are exposed to the web and not properly restricted in real-time.
Requirement 12: Maintain a policy that addresses information security for all personnel.
PCI Security Requirement: 12.2 Implement a risk-assessment process that:
- Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.),
- Identifies critical assets, threats, and vulnerabilities, and
- Results in a formal, documented analysis of risk.
How we help: Reposify’s platform delivers comprehensive visibility of your external attack surface so you can quickly discover all your connected assets and related risks and ensure your risk assessment process is based on accurate and objective ground truth.
So how does it work?
Proprietary agentless scanning technology continuously maps, indexes the entire internet and collects data on every connected asset. Classification and association engines analyze all the assets and automatically create your complete inventory, including both your known and unknown exposed assets.
Passive and non-intrusive active scanning techniques detect exposures, cryptographic issues, misconfigurations, remote code execution risks, CVEs & more. Intelligent risk prioritization & adaptive security scoring rank the risks based on multiple variables, so you know where to focus first.
PCI compliance is important but PCI alone isn't enough to prevent data breaches and other security incidents. Maintaining a good security posture overtime requires complete and real-time visibility into potential asset exposures and risks.
Want to guarantee a good security posture for your organization? Contact us today to get a complete and real-time view of your external attack surface.