PCI DSS 4.0 and IAG

In the world of cybersecurity, standards have been created to ensure the security of data and the companies that store it.

PCI DSS is one of these standards, dedicated to payment card data protection.

It was first published in 2004. Today we are on the fourth version, recently released in March 2022.

What does PCI DSS represent in the IT landscape? How can IAG be applied?

What is it ?

PCI DSS (Payment Card Industry Data Security Standard) is a security standard for companies that store, process or transmit payment card data.

This standard is administered by the “ PCI SSC ” (PCI Security Standards Council), founded jointly by the five major payment card providers: Visa, MasterCard, American Express, Discover Card and JCB.

The main goal is to provide both users and banking institutions with a guarantee that companies comply with the minimum requirements for the protection of payment data, in order to limit the fraudulent use of this information.

PCI DSS Requirements

The PCI DSS is based on 3 main axes:

  • Securing the collection and transmission of customers credit card data
  • Secure data backup
  • Guarantee that security checks are carried out every year

To meet these needs, PCI DSS is divided into six main groups of control, themselves comprising different sub-objectives:

  1. Build and maintain a secure network
    1. Set up and manage a firewall
    1. Do not use default passwords and settings set up by suppliers
  2. Protect cardholder data
    1. Protect stored data
    1. Encrypt data transmission
  3. Maintain a vulnerability management program
    1. Protect all systems against malware and update anti-virus software regularly
  4. Implement strict access control measures
    1. Restrict access to data only to authorized persons
    1. Identify and authenticate access to system elements
    1. Physically restrict access to cardholder data
  5. Regularly check the networks
    1. Track and control access to network resources
    1. Regularly test security systems and processes
  6. Maintain a data security policy
    1. Maintain an information security policy for all staff.

To obtain PCI DSS compliance certification, companies must submit to an audit validating these different points. There are 4 levels of PCI DSS certifications, depending in particular on the volume of transactions carried out by the company.

New in V4

The latest version of PCI DSS was published in March 2022, and must be applied before March 2024. This is a major update (as proof, the official reference document now has 360 pages, against 139 for the previous version!), developed in collaboration with several companies in order to better meet current needs in terms of security. This new version includes several goals: :

  • Continue to meet the security needs of the payment sector and new practices; for example with the consideration of multi-factor authentication (MFA), a higher requirement on rules related regarding passwords, the regular review of access privileges
  • Promote security as an ongoing process, crucial to protect payment data; clear assignment of roles and responsibilities for each requirement, drafting of prerequisite guides, personalized reports for the audit, etc.
  • Increase flexibility for organizations using different methods to achieve their security goals, with the introduction of a new custom approach to implementing and validating PCI DSS requirements
  • Improve the validation methods and procedures, in particular with the alignment between the information of the compliance report and the PCI DSS compliance certificate

IAG and PCI DSS

With the implementation of “strict access control measures”, IAG (Identity and Access Governance) falls within the framework of the PCI DSS. Let us recall among the objectives to be achieved:

  • Review of all user accounts and associated access privileges
  • Review of access by application/system account and privileges
  • Restrict access to access to IT components that are only necessary
  • a review of access privileges at least once every six months.

To achieve these requirements, several issues arise for the company:

  • How to standardize the various data, resulting from heterogeneous environments?
  • How to manage the specific aspects of the IT company ?
  • How to obtain the adhesion from the business ?
  • How to optimize the administration of multiple reviews ?
  • Can this be achieved with a satisfactory RIO?

With a solution dedicated to the IAG, it will be possible to adapt to the needs of the company, starting with a transformation module allowing to interpret and standardize the raw information from various application and system environments.

A relevant modeling of the IT from this data will be the basis of various analyses, with search functionalities and anomaly detection in the allocation of rights or other SoD rules.

The review will be provided by an accessible, customizable and ergonomic thin client interface for the business, with the management of review campaigns by organization, or by resource. This portal will have additional functionalities to better meet the needs of the company: highlighting of the rights to be monitored as a priority, supervision of movements, pre-validation by matrix of rights, etc.

A solution such as Kleverware IAG for example 🙂

Did you like this post ?

Share on twitter
Twitter
Share on linkedin
LinkedIn