Secure IT: The Top 3 PCI DSS Concerns in 2019

October 15, 2019

Cybersecurity Awareness Month (CSAM) is a global initiative created by the Department of Homeland Security 16 years ago to recognize the importance of digital security for consumers and organizations alike. Enterprises, employees, and end-users alike need to band together to #BeCyberSmart.

Herjavec Group is proud to be a CSAM Champion!

Contributed by David Mundhenk, Principal Consultant, Herjavec Group

Maintained by the PCI Security Standards Council, the PCI DSS is a worldwide standard of compliance requirements for any organization that stores, processes or transmits payment card data to facilitate commerce.

As organizations begin to restructure their data environments to keep up with evolving technology tools, they must ask themselves: “Does this new technology implementation have implications for meeting PCI DSS requirements?”

David Mundhenk, a Principal Consultant at Herjavec Group, says there are three key areas where organizations need to sharpen their approach when adopting new technologies:

  1. Cloud cardholder data environments (CDE)
  2. The use of VoIP for financial transaction processing, and
  3. The use of side-loaded code within the e-commerce transaction process.
Cloud Cardholder Data Environments (CDE)

If you are under the presumption that your cloud environment security controls are in-scope with PCI DSS, you may be wrong. In fact, security experts are routinely finding that cloud environments are often built with very little knowledge or understanding of PCI DSS compliance requirements.

“The migration of IT business systems into cloud environments is incredibly hot right now,” Mundhenk says. “However, organizations need to remember that it’s not the cloud service provider’s responsibility to ensure PCI DSS compliance. If an organization chooses to outsource cardholder data transaction processing to third parties including cloud service providers, they are still responsible for ensuring the outsourced entity provides all in-scope technology and services in a PCI DSS compliant manner.”

Consider the Following:

What is your cloud service implementation model? (e.g. Iaas, PaaS, or SaaS)? There are shared compliance responsibilities between cloud customers and cloud service providers which may vary based on the chosen cloud implementation model.

Make sure you fully understand and document which entity will be responsible for what compliance requirements based upon the chosen implementation model.

  • Determine if cardholder data will be stored in the cloud and if so, where? If it will be stored on the cloud, how will you protect that data (encryption, hashing, etc.)?
  • Are you properly implementing network segmentation within the cloud environment to effectively isolate PCI systems from non-PCI systems?
  • Are you using cloud-provided offerings for such necessary services as DNS, IAM, NTP, etc.? If so, make sure that these services have been assessed and found to be PCI DSS compliant.
  • Lastly, are you using container-based or serverless-based architecture? Due to the nature of these technologies, it can be difficult to meet all mandated PCI DSS requirements such as implementing malware protection, IDS/IPS, file integrity monitoring, vulnerability scanning, etc. To help get this right, consider engaging a QSA firm to review and ensure the entire architecture is PCI DSS compliant.
Using VoIP for Financial Transactions

Voice over Internet Protocol (VoIP) technology allows users to make voice calls over data networks, instead of using traditional telecommunication systems. As a result, calls placed over VoIP technology are converted into digital data. This means that organizations using VoIP to facilitate cardholder data-based transactions have to make sure they are PCI compliant.

“VoIP uses traditional data network technologies so it can be vulnerable to unauthorized interception and cyberattacks just like any other data network technology,” Mundhenk says. “If you don’t have the proper processes or security controls in place to isolate and secure your VoIP technology, the implementation could be out of compliance according to PCI DSS.”

Consider the Following:

  • Some VoIP implementations do not have the appropriate logical segmentation between PCI and non-PCI call transmissions. Without proper segmentation, the entire VoIP network may be in scope for PCI DSS requirements regardless of whether or not they ‘touch’ cardholder data.

We recommend working with a QSA firm to fully understand if, and where, segmentation can be implemented to reduce PCI scope.

Risk of Side-Loaded Code In eCommerce Implementations

A new tactic that cyber criminals are using to track and record cardholder data is the injection of 3rd party ‘side-loaded code’ into legitimate e-commerce web pages and browser sessions. It must be noted though that the use of side-loaded code isn’t exclusive to threat actors.

eCommerce use of side-loaded code was originally intended to support legitimate business functions, such as offering personalized accommodations based on the unique browser activities of the end-user. However, the implementation of side-loaded code may have the capability to inject additional functionality into the webpage that web developers may not have ever intended.

Additionally, the injection of side-loaded code into payment processing web pages, or web pages that redirect a browser session to a payment processing page, may run afoul with the following PCI DSS requirement:

  • 2.2.2 Enable only necessary services, protocols, daemons, etc., as required for the function of the system. 

The injection of 3rd party side-loaded code into a browser session does not provide any facilitation of the payment transaction functionality. For example, many retail e-commerce websites may employ the use of Google Tag Manager or browser-injected javascript to collect business intelligence on their consumers. In some instances, the information collected by these technologies may inadvertently capture cardholder data, personally identifiable information, or other sensitive data from the user attempting to make a card payment.

To address this point, it is recommended you verify that your payment pages and payment redirection pages do not contain any other code or functionality that does not support the payment processing function.

On October 30, 2019, David Mundhenk will be a panelist on The PCI Dream Team: Solving the Biggest PCI DSS Nightmares town hall session at the 2019 ISC2 Security Congress In Orlando, Florida, from 8:30AM – 9:30AM. The panel will feature a live Q&A session with the full PCI Dream Team, so if you’re attending, be sure to prepare and bring your toughest PCI questions. Register for the ISC2 Security Congress here.

To learn more about how Herjavec Group can provide you with a PCI DSS compliance assessment for your environment or support your organization as an Authorized QSA or ASV, connect with a security specialist below.

About Herjavec Group

Dynamic entrepreneur Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity products and services to enterprise organizations. We have been recognized as one of the world’s most innovative cybersecurity operations leaders, and excel in complex, multi-technology environments. Our service expertise includes Advisory Services, Technology Architecture & Implementation, Identity Services, Managed Security Services, Threat Management and Incident Response. Herjavec Group has offices and Security Operations Centers across the United States, United Kingdom and Canada.

Stay Informed

Follow us on Twitter

Connect with us on LinkedIn