The Payment Card Industry Data Security Standard (PCI DSS) exists to improve the security of payment card processing and minimise the risk of a data breach.
Increased security controls will help to protect your organisation and its customers by preventing fraudsters from using their card data. All merchants who process card data must be PCI compliant. PCI controls are being updated and the deadline to adopt version 4 is 31 March 2025. This gives organisations two years to learn how to apply the new controls.
Why were PCI controls updated?
Cyber criminals are constantly evolving with technology, finding new techniques and tactics to exploit any weaknesses that they can find. PCI DSS have recognised this in their 4.0 update. Requirement 6.3.1 expects organisations to be aware of the threats and vulnerabilities that they are facing. They must also stay informed of any changes to the technologies that they use. In accordance with PCI 4.0, businesses are expected to:
- Detect emerging threats.
- Analyse the latest threat trends.
- Inform and update their Cyber Risk Assessments.
- Address weaknesses or any avenues that threat actors can exploit.
- Educate personnel, improving their cyber security awareness and culture.
- Integrate intelligence into incident management procedures.
The use of Cyber Threat Intelligence (CTI) helps to meet the above requirements. In the context of PCI compliance, a CTI tool enables organisations to quickly discover and qualify security control gaps. It can also help organisations to focus on vulnerabilities based on quantitative risk metrics. In addition, CTI helps companies to stay on top of PCI DSS security policy hygiene through continuous analysis and alerting.
How CTI can enrich PCI
One of the leading causes of data breaches in PCI-covered organisations studied in the Verizon Payment Security Report 2019 is a failure to meet Requirement 6. CTI can enrich PCI controls by working with existing techniques and providing an ongoing assessment of external risks. This will assist security professionals in re-prioritising patch management efforts. It can also be used to add broader threat intelligence from across the web to uncover weaknesses that traditional tools don’t catch or fail to weigh correctly based on associated exploits and threats.
In addition, CTI can provide a sanity check when it comes to protecting credit card data. This is achieved by enhancing the pre-assessment routine and giving organizations a second set of eyes when it comes to vulnerabilities that may create violations and weaknesses to data security policies.
How Gemserv can help you with PCI DSS certification
The Gemserv CTI platform can provide businesses with an accurate, user friendly and affordable solution to their threat intelligence needs. Our platform benefits from a breadth of intelligence sources including deep and dark web coupled with a depth that is added by our analysts. Our intelligence is always graded, tagged and sourced. This allows you to keep up to date with threats in your organisation’s sector, vulnerabilities to technology stack, incidents involving your supply chain and any potential risk to your brand’s reputation.
Gemserv’s team of QSAs has an extensive array of experience assisting a wide range of clients with their PCI DSS requirements. Our clients include household name retailers and insurers as well as smaller organisations. Gemserv has a holistic approach to its PCI DSS delivery. Our QSAs can conduct your annual PCI DSS assessments, walking you through the process step by step. Where there are required recommendations or uplifts, our stable of experienced cyber and data security consultants can seamlessly provide the necessary expertise.