How PCI DSS builds layers of protection

0 Shares

The primary objectives (or attributes) of security (whether that be ‘information security’ or more recently ‘cyber security’) are encompassed in the CIA triad: Confidentiality, Integrity and Availability which are defined as:

  • Confidentiality: ensuring that information is accessible only to those authorised to have access

  • Integrity: ensuring the accuracy and completeness of information and processing methods

  • Availability: ensuring that authorised users have access to information and associated assets when required

Organisations seek to fulfil those objectives for their information assets as well as those of their partners, customers, and clients through the use of logical, physical, procedural and personnel controls. Those controls must work together as a framework to Prevent, Detect and Respond to security incidents and cyber-attacks such that the security objectives are met. Such a framework is defined by the PCI DSS, a baseline of technical and operational controls that work together to provide a defence-in-depth approach to the protection of account data (cardholder data and sensitive authentication data) but which may also serve as a baseline of measures to protect all information assets.

The term “Defence-in-depth” is originally a military strategy that seeks to delay rather than prevent the advance of an attacker by yielding space in order to buy time. The basic premise is to insert as many barriers as possible between the attacker and your critical data and systems by maintaining multiple, layered lines of defence or controls, rather than just one strong defensive line or type of control. A breach in one layer only leads the attacker to the next layer of defensive controls / countermeasures and increases the likelihood of the attacker being detected. It is often likened to layers of an onion that can be peeled, one by one.

This article examines the defence-in-depth model, how it relates to the PCI DSS and explores where Sysnet Global Solutions’ Partner Solutions (Sysnet Protect) and Business Solutions (Viking Cloud Managed Security Services) can help your merchant customers Prevent, Detect and Respond to security events and incidents affecting their systems.


How the defence-in-depth model relates to PCI DSS

Let’s look at the defence-in-depth model below in Figure 1 in more detail, and the relationship with PCI DSS controls, Sysnet Protect tools and Viking Cloud Managed Security Services that can secure the organisation, its network and components:

Defence-in-depth model - PCI DSS protection
Defence-in-depth model
  • Data – Your merchant customer’s critical data and systems, including payment card information, customer databases, order or property management systems, directory service information; proprietary, contractual, or financial information etc. Data is an attacker’s ultimate target.

Example PCI DSS controls include:

  • To keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures, and processes. Simply put, merchant customers should aim to adhere to the basic PCI DSS principle that “if you do not need it, do not store it” (Requirement 3.1). If you must store cardholder data, render it unreadable e.g., using one-way-hashes, truncations, index tokens and pads or strong cryptography (Requirement 3.4).

  • To not store sensitive authentication data after authorisation (Requirement 3.2).

How Sysnet Protect Helps: Cardholder Data Scan

Identifies suspected unencrypted cardholder data on customer endpoints.

How Viking Cloud Managed Security Services Helps: PAN Scan

Locates and uncovers unknown sources of PII and card data.

How Sysnet Protect Helps: Endpoint protection

Protects critical files and data from zero-day exploits and ransomware through containment with auto-sandboxing.

How Viking Cloud Managed Security Services Helps: Anti-ransomware

Protects and controls mission-critical content from zero-day ransomware by quarantining suspect files and programs in a secure, virtualized environment eliminating any verified as dangerous.


  • Application – The software that manipulates the data that is the ultimate target of attack.
    Example PCI DSS controls include:

    • To check for new vulnerabilities using reputable external sources, assign a risk ranking to newly discovered vulnerabilities, and patch high-risk vulnerabilities within 30 days (Requirement 6.1 and 6.2).

How Sysnet Protect Helps: Auto Update Enabled

As part of initial Sysnet Protect engagement, merchant is informed the importance of keeping patch levels up to date.

How Viking Cloud Managed Security Services Helps: External and Internal Vulnerability Scanning

Identifies vulnerabilities affecting customer applications, helps to assess the effectiveness of patch management.

How Sysnet Protect Helps: Vulnerability Management

Provides endpoint software inventory and patch status report.

Proactive monitoring for OS vulnerabilities in supported systems.

Merchants advised to update their systems and provided with patch installation support.


  • Host – The computers that are running the applications. Example PCI DSS controls include:

    • To maintain an inventory of systems in scope for implementation of PCI DSS controls (Requirement 2.4).

How Sysnet Protect Helps: Network Discovery Scan

Can detect all computers and devices connected to the business network.

How Viking Cloud Managed Security Services Helps: Endpoint Security Agent

Provides an inventory of assets

  • To deploy endpoint security on host systems to ensure these network-attached devices conform to defined security policies such as those relating to secure configuration, anti-malware, password policies and detection of unauthorised changes (Requirements 2, 5, 8 and 11.5).

How Sysnet Protect Helps: Endpoint Protection

Includes several layers of host device protection, including Host Intrusion Prevention System (HIPS).

Deviations from normal or baseline states can be detected and actions triggered to prevent compromise.

Offers dynamic (behavioural) based analysis of potential malware.

Monitors Windows endpoint configurations (e.g. for default accounts) and password policy parameters.

How Viking Cloud Managed Security Services Helps: Endpoint Security Agent

NextGen registry-based anti-malware, threat detection and anti-ransomware.

File Integrity Monitoring (FIM) tracks when files are created or key files are viewed, deleted or modified


  • Internal Network – The network supporting and connecting company applications, systems, and hosts.
    Example PCI DSS controls include:

    • To install firewalls and restrict connections between untrusted networks (incl. the Internet) and the cardholder data environment (Requirement 1)

    How Viking Cloud Managed Security Services Helps: Managed Security

    Fully-managed firewall with Unified Threat Management (UTM), site-to-site VPN, integrated managed switching and managed wireless access points.

    • To install firewalls between the core network and wireless networks and implement robust wireless security mechanisms such as strong authentication, strong encryption and rogue access point detection for any wireless technologies in use (Requirement 1.2.3, 2.1.1, 4.1.1, 11.1).

    How Viking Cloud Managed Security Services Helps: Managed Security

    Fully-managed firewall with Unified Threat Management (UTM), site-to-site VPN, integrated managed switching and managed wireless access points.

    How Viking Cloud Managed Security Services Helps: Rogue Wireless Detection

    Scans and surfaces unauthorized wireless access points, including rogue devices and skimmers

    • To install personal firewall software (or equivalent) functionality on mobile devices that connect to the Internet when outside the internal company network (Rer546quirement 1.4).

    How Sysnet Protect Helps: Endpoint Protection

    Personal Firewall functionality is one of the defensive layers of Endpoint Protection.

    Allows for granular management of inbound and outbound network activities and provides warnings of suspicious activities.

    How Viking Cloud Managed Security Services Helps: Endpoint Protection Platform

    Secure endpoints of all types ensuring protection wherever and however they are used by the workforce.


    • Perimeter – The network that connects the corporate IT infrastructure to another network, such as to external users, partners, or the Internet. Example controls include:

      • To install firewalls at the perimeter of the network (Requirement 1.3) and use packet inspection techniques (IDS/IPS) at the network perimeter and at various strategic points inside the network (Requirement 11.4).

      How Viking Cloud Managed Security Services Helps: Managed Security

      Fully-managed firewall with Unified Threat Management (UTM), site-to-site VPN, integrated managed switching and managed wireless access points.

      • To perform vulnerability scans to identify vulnerabilities and misconfigurations of websites, applications, and other systems with Internet-facing IP addresses (Requirement 11.2.2)

      How Sysnet Protect Helps: External Network Vulnerability Scans (incl. ASV scans)

      IP Reporting identifies the Internet-facing IP addresses to be scanned for vulnerabilities.

      Schedule regular External Network Scans to detect vulnerabilities.

      Sysnet Service Operations Centre helps your merchant customers understand the scan results and address the issues identified

      How Viking Cloud Managed Security Services Helps: Vulnerability Scanning

      Analyzes and reports any system weaknesses subject to exploitation on a regular basis.

      • To conduct penetration testing to determine whether and how a malicious attacker can gain unauthorized access and affect the security of systems, files, logs and/or cardholder data (Requirement 11.3)

      How Viking Cloud Managed Security Services Helps: Penetration Testing

      Network Penetration Testing identifies and tests potential exploitable vulnerabilities across OS, firewalls and WiFi.

      Website Penetration Testing simulates internal and external attacks to see the possibilities of an unauthorized user.


      • Physical – The tangible aspects in computing: the server computers, hard disks, network switches, power, and so on. Example controls include:

        • To use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment (CDE) e.g., CCTV, physical or logical controls to restrict access to network jacks, restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines etc. (Requirement 9.1).

        How Viking Cloud Managed Security Services Helps: Managed Security Testing

        Social Engineering Penetration Testing identifies and showcases manipulation tactics employees could easily fall victim to allowing unauthorized users to penetrate the physical perimeter.

        Red Team testing simulates attack scenarios to provides a holistic view of the organization from the perspective of an adversary


        • Policies, Procedures, Awareness – The overall governing principles of the security strategy of any organisation. Without this layer, the entire strategy fails. Example controls include:

          • To establish, publish, maintain, and disseminate a security policy (Requirement 12.1)

          • To implement a formal security awareness program to make all personnel aware of the importance of cardholder data security (Requirement 12.6).

        How Sysnet Protect Helps: Information Security Resources

        Customisable template Information Security Policies address the key PCI DSS controls.

        Educational videos on key payment card data security topics

        How Viking Cloud Managed Security Services Helps: Managed PCI compliance

        Includes managed PCI eLearning


        PCI DSS defines a baseline of technical and operational requirements designed to protect an organisation’s cardholder data assets (information and systems) focussing primarily on protection of confidentiality.

        As a baseline it is the minimum that must be done by organisation obliged to comply with the PCI DSS to address known risks, attacks, and methods of compromise of payment card data. The PCI DSS recognises and expects organisations to build on that baseline of defensive layers offered by the PCI DSS (Requirement 12.2 risk assessment process).

        Sysnet Global Solutions’ Partner Solutions (Sysnet Protect) and Business Solutions (Viking Cloud Managed Security Services) can not only help your merchant customers build and operate those defensive layers required by the PCI DSS to protect and secure payment card data; they can also extend your merchant customers’ ability to Prevent, Detect and Respond to security incidents and attacks on their information security through selection and implementation of further layered cybersecurity controls and countermeasures.