MSSPs Can Still Cash In on PCI DSS Compliance Challenges

Written by Frank J. Ohlhorst
December 1, 2018

With the holiday shopping season in full swing, doing PCI DSS compliance the right way is now more important than ever.

PCI DSS compliance rules have been around for more than a decade, yet numerous retailers are still failing to meet the requirements and are exposing customer data to theft.

According to the Thales Group, 75 percent of U.S. retailers experienced a data breach last year, demonstrating how U.S. retailers are not up to the security game. While that might not bode well for the holiday shopper, it does illustrate that retailers need help, and they need it now.

MSSPs can help assuage those security issues by helping retailers institute PCI DSS compliance correctly, and garner long-term relationships as a result. Perhaps the biggest challenge comes in the form of educating retailers on best practices and helping them avoid the all-too-common problems that have lead to breaches, compliance failures and the liabilities associated with processing payment cards. Naturally, those best practices can be translated into services that MSSPs can offer those retailers, including:

Scope: The PCI DSS standard defines the scope of the cardholder data environment (CDE) as all of the systems, people, processes and technologies that handle cardholder data; yet, many retailers fail to properly scope their environments, meaning that critical systems, such as domain controllers, key management systems, firewalls and numerous other systems are often left out of the scope. MSSPs can help to inventory those systems and include them in the scope, preventing compliance failures.
Patching: One of the most critical elements for maintaining compliance involves keeping systems in the scope patched. The latest PCI DSS requirement 6 outlines the need to patch systems on a regular basis. Additionally, it specifies that critical security patches must be installed within a month of their release. Here, as part of the scoping process, MSSPs can identify critical systems and take on the role of patch management to ensure that all systems are patched properly.
Access Audits: PCI DSS requirement 8 outlines how to secure access to cardholder data, specifically requiring two-factor authentication for remote access to all in-scope systems. Many organizations fail to audit remote access to verify that the controls are working as expected. Here, MSSPs can head up those audits and validate that the systems are compliant.
Monitor and Review Audit Logs: PCI DSS requirement 10 covers all of the implementation details for logging and log monitoring within the CDE; however, many organizations fail to adhere to the requirement properly, rendering those logs worthless. MSSPs can institute the processes needed to review those logs and automate the analysis to discover errors and anomalies that might signal a threat, before any damage occurs.
Limit Third Party Access: Third-party vendors often request access to the CDE for numerous and legitimate reasons, such as troubleshooting systems and posting updates; however, many retailers often forget to audit and then turn that access off, leaving a potential backdoor into the CDE. MSSPs can institute systems that monitor and limit third-party access to contain those threats.
Change Default Passwords: Many systems within the CDE come predefined with default settings, passwords and so forth; for example, Wi-Fi access points are normally preconfigured and have default authentication turned on. Many retailers forget to change default configurations, leaving the CDE open to threats. MSSPs can locate those systems and ensure that proper passwords and security are enabled.
Storing Sensitive Data: PCI DSS mandates the protection of Sensitive Authentication Data (SAD) which is comprised of full magnetic stripe data, CAV2, CVC2, CVV2, CID, PINs, PIN blocks and more. Some retailers falsely believe that they must store all SAD for situations such as recurring billing. SAD is one of the biggest targets for cybercriminals, and MSSPs can help reduce exposure by implementing a third-party credit card vault and tokenization provider, which replaces SAD with a token during billing and payment authorization procedures.

The above best practices are only a microcosm of everything involved for PCI DSS compliance; however, those are the areas that most merchants seem to need help with. MSSPs can become the trusted insider, helping retailers to maintain PCI DSS compliance and prevent those retailers names’ from appearing in the news as a victim of a breach.