Cyber Playbook: An Overview of PCI Compliance in 2022

March 24, 2022

Contributed By: David Mundhenk, Principal Consultant, Consulting Services

There's no denying it - Payment Card Industry (PCI) Compliance has risen in significance and will only continue to do so as we move forward. Being PCI compliant is essential to properly handle sensitive data including payment card data, cardholder data, and even sensitive authentication data. As we enter the second quarter of the year, it's a great time to reflect on both the changes the new year has brought and the things that have remained the same. While PCI Compliance has certainly seen a mix of both new trends and legacy approaches, let’s take a look at the newest and most talked-about topics in 2022:

Approved Scanning Vendor Lessons Learned

Approved Scanning Vendor (ASV) scans are a PCI DSS mandated external vulnerability scanning requirement, but over the last year or so, we have seen an increasing amount of challenges to successfully complete them. We are seeing more instances of scans failing due to various factors. In most cases, the scan target systems fail to complete due to scanner-reported session timeouts and unreachable hosts.

Internet-facing architecture that is being ASV scanned has grown more complex over the last years with the implementation of HTTPS load balancers, web application firewalls, deep packet inspection capable intrusion detection/prevention (IDS/IPS) systems, and next-gen firewalls. In many instances, various combinations of those systems may actually interfere or impede the ASV scanning technology’s capability to complete a full scan session. In addition, the actual hosts being scanned are also often provisioned with IDS/IPS and additional access control restrictions. ASV system vendors are also constantly improving the capability of their systems and enhancing the complexity of their scanning engine policy profiles.

Regardless of the cause, an incomplete ASV scan cannot be considered a passing scan and will not fulfill the PCI DSS mandated external vulnerability scanning requirement. It is incumbent upon ASV customers to ensure that the ASV service provider has complete access to the scanning target systems during the scanning session time frame. ASV service providers can also tweak scanning technology systems to reduce the intensity of the scans and increase session timeout windows. In instances as just described, the ASV client and the ASV service provider should work together as a team to find a viable solution to any ASV scanning interference.

Client-Side Web Browser Vulnerabilities

Generally speaking, the client-side web browser attack surface has been completely overlooked as a threat landscape except by malware authors, the hacking community, social media, and mass marketers. All of these threat actors and business intelligence collectors continue to manipulate, and even exploit, end-user client-side browser vulnerabilities for ill-gotten gain and often under the guise of gathering ‘critical user business intelligence.’

Traditional penetration testing and application security assessment tools, methods, and techniques tend to neglect this attack surface. They focus primarily on server-side vulnerabilities, not the client-side web browser. Thus ’client-side’ vulnerabilities are often referred to as the ‘Mariana trench’ of attack surfaces; they are very challenging to get to and few have successfully addressed the issue. As such, payment card data, Personally Identifiable Information (PII), and user authentication credentials are routinely harvested with impunity by nefarious actors and not-so-scrupulous marketers.

The Solution

  • Incorporate client-side web browser security testing in Secure Software Development Life Cycle (S-SDLC) tools, methods, and QA testing processes.

  • Inventory all scripts (especially Javascript), third party *.html tags, and links to 3rd party sources, end-user telemetry recording, etc.

  • Any of the above that are found to divulge CHD/PII or that inject high-risk vulnerabilities into the client-side browser should be eliminated.

  • Ensure that all of the above that do remain in web page *.html code have a legitimate business justified need.

  • As many eCommerce application architectures are updated and modified on a daily basis, ensure that there is ‘iterative’ testing and remediation throughout the S-SDLC process.

  • Leverage best-of-breed client-side web browser vulnerability tools and software that can detect, alert, and block web injection of malicious scripts and *.html tags.

PCI Data Security Standards v4.0

Since its founding in 2006, the PCI Security Standards Council (SSC) has introduced a major overhaul and rewrite of the PCI Data Security Standard (DSS) three times and is currently undergoing its fourth major overhaul. This one is perhaps the most significant rewrite in the history of the standard.  

As a Qualified Security Assessor (QSA) firm in good standing, we have been privy to, and contributed to, helping to craft a significantly changed, and hopefully improved version of the PCI DSS. We are currently not at liberty to start speaking directly to those changes, but when the official standard is released, we will release full details.

The fourth version of the PCI DDS launch date has not yet been specifically announced, however, the PCI SSC has declared it will be released before the end of March 2022. Stay tuned to keep apprised of the newest standards and how we can support your team with PCI compliance.

Connect with our team to learn more about how we can accelerate your PCI compliance program.

The newly combined Herjavec Group and Fishtech Group team is made up of best-in-class, global talent and some of the most highly respected professionals in cybersecurity. With decades of experience and lessons learned, we want to share our insights with you. From the Cyber Playbook is a blog series where our diverse, specialized thought leaders will discuss all things cybersecurity. Every month one of our experts will provide advice and insights based on their extensive experience in the infosec industry. Feel free to connect with us about topics and questions you would like to see covered.


Take the First Step
In Transforming Your Cybersecurity Program

Enterprise security teams are adapting to meet evolving business needs. With 5 global Security Operations Centers, emerging technology partners and a dedicated team of security specialists, Herjavec Group is well-positioned to be your organization’s trusted advisor in cybersecurity. We’ll help you understand your risk exposure, increase your visibility and ROI, and proactively hunt for the latest threats.

Book a Free Consultation

Stay Informed

Follow us on Twitter
Connect with us on LinkedIn