By Natasja Bolton, Acquirer Support Manager
The primary objectives (or attributes) of security (whether that be ‘information security’ or more recently ‘cyber security’) are encompassed in the CIA triad: Confidentiality, Integrity and Availability which are defined as:
- Confidentiality: ensuring that information is accessible only to those authorised to have access
- Integrity: ensuring the accuracy and completeness of information and processing methods
- Availability: ensuring that authorised users have access to information and associated assets when required
Organisations seek to fulfil those objectives for their information assets as well as those of their partners, customer and clients through the use of logical, physical, procedural and personnel controls. Those controls must work together as a framework to Prevent, Detect and Respond to security incidents and cyber-attacks such that the security objectives are met. Such a framework is defined by the PCI DSS, a baseline of technical and operational controls that work together to provide a defence-in-depth approach to the protection of cardholder data but which may also serve as a baseline of measures to protect all information assets.
The term “Defence-in-depth” is originally a military strategy that seeks to delay rather than prevent the advance of an attacker by yielding space in order to buy time. The basic premise is to insert as many barriers between the attacker and your critical data and systems by maintaining multiple, layered lines of defence or controls, rather than just one strong defensive line or type of control. A breach in one layer only leads the attacker to the next layer of defensive controls / countermeasures and increases the likelihood of the attacker being detected. It is often likened to layers of an onion that can be peeled, one by one.
How the defence-in-depth model relates to PCI DSS
Let’s look at the defence-in-depth model below in Figure 1 in more detail, and how it relates to the PCI DSS controls to secure your organisation, network and its components:
Figure 1: the defence-in-depth layers
Your critical data and systems, including your databases, Active Directory service information, documents etc. This is an attacker’s ultimate target. Example controls include:
- To keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes. Simply put, if you do not need it, do not store it. (Requirement 3.1). If you must store cardholder data, render it unreadable e.g. using one-way-hashes, truncations, index tokens and pads or strong cryptography (Requirement 3.4).
- Do not store sensitive authentication data after authorisation (Requirement 3.2).
The software that manipulates the data that is the ultimate target of attack. Example controls include:
- To check for new vulnerabilities using reputable external sources, assign a risk ranking to newly discovered vulnerabilities, and patch high-risk vulnerabilities within 30 days (Requirement 6.1 and 6.2).
The computers that are running the applications. Example controls include:
- To deploy endpoint security on servers and hosts to enforce network attached devices to conform to defined enterprise and desktop security policy (Requirement 5).
The network in the corporate IT infrastructure. Example controls include:
- To install firewalls between the core network and wireless networks, and implement robust wireless security mechanisms such as strong authentication, strong encryption and rogue access point detection for any wireless technologies in use (Requirement 2.1.1).
The network that connects the corporate IT infrastructure to another network, such as to external users, partners, or the Internet. Example controls include:
- To install firewalls at the perimeter of the network (Requirement 1.3) and use packet inspection techniques (IDS/IPS) at the network perimeter and at various strategic points inside the network (Requirement 11.4).
The tangible aspects in computing: the server computers, hard disks, network switches, power, and so on. Example controls include:
- To use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment (CDE) e.g. CCTV, physical or logical controls to restrict access to network jacks, restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines etc. (Requirement 9.1).
Policies, Procedures, Awareness
The overall governing principles of the security strategy of any organisation. Without this layer, the entire strategy fails. Example controls include:
- To establish, publish, maintain, and disseminate a security policy (Requirement 12.1)
- To implement a formal security awareness program to make all personnel aware of the importance of cardholder data security (Requirement 12.6).
The PCI DSS baseline of technical and operational requirements is designed to protect an organisation’s cardholder data assets (information and systems) focussing primarily on protection of confidentiality. By baseline we mean the minimum that must be done to address known risks, attacks and methods of compromise. Requirement 12.2 (risk assessment process) expects organisations to build on that baseline and the defensive layers of the PCI DSS.
By identifying their critical information assets, along with the potential threats and vulnerabilities (integrity and availability, as well as confidentiality) organisations can, through selection and implementation of further layered controls and countermeasures, enhance their ability to prevent, detect and respond to security incidents and attacks on their information security.
 Information assets include all computer systems and the information stored on those systems, transmitted across networks, information printed out or written on paper, sent by fax, stored on electronic media or spoken over the phone.
 Prevent: to stop unwanted or unauthorised activity from occurring; Detect: to discover unwanted or unauthorised activity; Respond: to address the unwanted or unauthorised activity (the incident) to minimise loss or downtime and return to normal
If you are a merchant that requires technical or PCI DSS help, please click here