Meet PCI DSS and Protect Cardholder Data with PAM Controls
The 2022 holiday online shopping season is shaping up to be a busy one. An estimated 63.9 million people will shop this Cyber Monday, while global eCommerce transactions are expected to climb 15% from October through December 2022 and reach up to $264 billion. Unfortunately, when eCommerce sales surge, credit card fraud and data theft do too.
According to the Internet Crime Complaint Center, credit card fraud accounted for $173 million in losses in 2021. It’s one of the reasons consumers can now mask their credit card numbers when purchasing from an unknown online website. But that’s not enough — especially since holiday scams often target merchants as well.
If your business handles credit or debit card information, now is the time to revisit the Payment Card Industry Data Security Standard (PCI DSS) guidelines to help protect your organization, safeguard customer data, preserve trust and avoid hefty penalty fees.
PCI DSS 4.0 Compliance Goals and Requirements at a Glance
Retailers, processors, service providers and any other businesses that accept major payment cards and store, process and/or transmit cardholder data electronically must follow the PCI DSS guidelines and provide annual evidence of compliance. The global security standard is intended to help protect all parties involved in online transactions against damaging cyberattacks: Cardholders, by safeguarding confidential data, and merchants, by mitigating security vulnerabilities and risk such as unauthorized data access and disclosure.
PCI DSS 4.0 is the latest version published by the Payment Card Industry Security Standards Council, the standard’s governing body. It defines six principal goals and 12 high-level requirements and best practices for securing network and system infrastructure and protecting confidential cardholder data:
As part of these goals, PCI DSS defines strong access control measures and multifactor authentication (MFA) methods to help prevent threat actors from breaching IT systems and stealing confidential cardholder data. Notably, the standard requires merchants to monitor and control access to all administrative accounts on point-of-sales (POS) terminals and any other systems that manage cardholder data.
Addressing Key PCI DSS Requirements with Strong Privileged Access Management Controls
Cybercriminals routinely look for ways to exploit privileged credentials — including those for administrative accounts on IT systems that handle credit card and debit card transactions — to orchestrate attacks and steal sensitive data. Especially during the hectic holiday season, distracted workers, lax credential management practices and error-prone manual security processes provide them with ample opportunity.
Because of this, PCI DSS recommends that merchants consider using a privileged access management (PAM) solution to restrict access to privileged accounts and defend against data breaches. Cloud infrastructure entitlements management (CIEM) solutions similarly help organizations reduce excessive permissions across systems hosting data in their cloud environments — satisfying another key PCI DSS requirement to implement least privilege access.
These controls can provide the foundation of a comprehensive Identity Security approach and the key to satisfying the following PCI DSS requirements:
Privileged access management controls work in concert to improve visibility and control over privileged accounts, isolate and monitor privileged sessions and help to prevent unauthorized access.
By embracing an Identity Security strategy centered on intelligent privileged access management controls, your organization can strengthen its overall security posture and protect confidential data — throughout the busy 2022 holiday season and beyond.
PCI DSS Resources to Help You Get Started
There are many great industry resources available to organizations looking to get up to speed on PCI DSS technical specifications, attestation processes and reporting requirements. Major credit card brands including American Express, Discover, Mastercard and Visa offer free online training programs and support. The PCI Security Standards Council also provides numerous resources on how to keep payment data safe. And to learn how CyberArk helps organizations defend against attacks and improve PCI DSS compliance, check out our latest eBook, “How Privileged Access Management Protects Cardholder Data.”