Cybersecurity has risen to become a major concern for nearly every industry. With the constant stream of news about the escalating numbers of breaches, it is understandable that governments have taken a more active role by passing cybersecurity and privacy legislation. Some of the industries are not top of mind to many people. For example, few people are aware of all of the industries that make up the 16 sectors of critical infrastructure. However, most people will certainly know that the financial sector is part of the vital functioning of the economy.
The most visible component of the financial sector is the banking industry. Everyone has had to use a bank at one time or another, so it is understandable that security is a primary concern for the banking industry. The old days of bank robbers wearing masks to steal money has been replaced by the global reach of the internet. Money is not the only target of a bank thief these days; client information is equally valuable.
Since most banks also work with credit card information, they must adhere to the Payment Card Industry Data Security Standard (PCI DSS). The release of the updated PCI DSS, version 4.0 presents security improvements for account holder protection, but it also creates some unique challenges as well.
Broader Language, Broader Scope
The new PCI DSS starts by adding broader language about network security controls. The previous versions of the Standard referred specifically to a firewall configuration to protect the Cardholder Data Environment (CDE). The new Standard expands this, which makes sense. However, it creates a greater scope, which could present a major shift for some banks.
Customized Approaches Require Stronger Evidence
Another observation about the broader language is that it allows for a customized approach to some of the requirements. This can be seen as granting more freedom for a bank to determine the best method to achieve compliance with a particular requirement, but it can also present problems during an audit. A Qualified Security Assessor (QSA) may call a customized approach into question. This means that a bank that chooses to use a customized approach must have very strong evidence to support this deviation from the Standard. Overall, having this more general standard is good because it gives the bank the flexibility to evolve their business in a clearer way. They're no longer being restricted by the Standard to do things that aren't necessarily better, but it means that it's more important than ever that they actually have people who are accountable, that they understand that scope, that they can define that for their business, and that they can show how they are keeping up with the customization so that as the business needs change and as their systems change, they can still show how they are doing the right things, both for compliance and security
Hinting at a Stronger Standard to Come
PCI DSS 4.0 shows signs of advancing toward a zero trust architecture. One can easily anticipate it moving more clearly in that direction in future versions. The main concept of zero trust is that user access must be tightly controlled. All of these technical constraints are designed to provide enhanced security, and that is the main thrust of zero trust. There are many reference sources about zero trust, including NIST 800-207, the Department of Defense Strategy, and even the draft document issued by CISA. A lot of companies are starting to take these very seriously, and it's not just because they want to do business with the federal government in the United States. It's also because this is a legitimate security initiative. It is quickly becoming a favored security architecture.
There are more breaches happening year after year, despite spending more and more on security. One must wonder how an organization could possibly continue to focus so diligently on cybersecurity and still not get a quality result. As we have seen over the last decade, more guidance is being offered by various government and non-governmental organizations. Regulations are being developed to force the issues as well. The PCI Security Standards Council has evolved its documentation to meet the current environment, and while it offers more flexibility, we will have to watch to see how those organizations that choose the customized approach in some of the requirements manage when evaluated for compliance.
We have compiled an eBook, in which we interviewed a panel of experts about the new PCI Standard. Download your copy here.