Payment cards: meeting new PCI standards

Kurt Jung at Progress explains why businesses must take steps to remain PCI DSS 4.0.1 compliant

 

For financial services organisations with applications that use or store financial or personal data, security failures can mean serious consequences—from large fines and regulatory investigations to potential business failure. Regulations are continually evolving to make credit card handling more secure at a time when cyber-attacks are increasingly common and more sophisticated.

 

And the risks are very real. In December 2024, five million U.S. citizens’ credit and debit card details leaked because an Amazon S3 bucket—a virtual file stored in the cloud—was unprotected.

 

Those who process credit card information must now meet a new compliance deadline on 31st March 2025. PCI Security Standards Council (PCI SSC) has revised the Payment Card Industry Data Security Standard (PCI DSS) v4.0.1, which mandates that businesses handling card payments deploy new technology to meet new anti-phishing requirements.

 

However, research has revealed that two-thirds (62%) of organisations haven’t implemented the required safeguards to remain PCI DSS compliant. The risks of failing to comply could include fines, reputational damage and operational disruption.

 

Financial services tech teams must be aware of the implications of this new standard as several of its requirements have been updated, with many “best practice” requirements becoming forced requirements. There are also some ways to make it easier to embrace the changes by the 31 March deadline.

 

 

The key changes to PCI DSS 4.0.1

Whilst PCI DSS v4.0.1 mainly clarifies some requirements and guidance rather than introduces major changes, the key technology investment required is captured in Section 6.4 of the new regulation. This states that “Public-facing web applications are protected against attacks” and means that these businesses now require a Web Application Firewall (WAF), which can be either on-premises or cloud-based, installed in front of public-facing web applications. The purpose is to check all traffic to detect and prevent web-based attacks.

 

More specifically, requirement 6.4.2 replaces requirement 6.4.1, with the new requirement stating: “For public-facing web applications, [a solution] is deployed that continually detects and prevents web-based attacks…A web application firewall (WAF), which can be either on-premises or cloud-based, installed in front of public-facing web applications to check all traffic, is an example of [a solution] that detects and prevents web-based attacks….”

 

This is a significant change to the current requirement which only states that they must use “manual or automated application vulnerability security assessment tools or methods…at least once every 12 months.”

 

With a new mandatory requirement to purchase, deploy and train staff on how to use a WAF, the usual granular investment process for additional security equipment is a necessity. Fortunately for those approaching the new regulations last minute, load balancers are now accessible with built-in WAF functionality available on-premises and in the cloud. This functionality enables organisations to rapidly meet these new requirements.

 

 

WAF: why Is it essential for security?

In the realm of information security, when a high-value asset (like a web service) needs protection, the most effective way to protect these technology assets is to use multiple independent layers of defence. In the case of web applications and websites, a WAF is the dedicated layer of defence.

 

A WAF complements and enhances traditional firewall security protection. However, it doesn’t stop encrypted web traffic as it lacks visibility into the web traffic content.

 

It is a device that inspects and filters web traffic (HTTP traffic) and proactively blocks malicious-looking traffic before it reaches the application server. Using lists of knock attack methods plus anomaly detection, the web application firewall can deny access to web servers when it detects malicious activity, stopping potential breaches in their tracks.

 

 

Risks of web application breaches

 Any internet-facing or mission-critical web application should be afforded the protection that a WAF provides, but it’s especially important for web applications that use financial, personal or confidential information in any way. These are particularly attractive to hackers and pose a high-risk security threat.

 

The most advanced WAF functionality can detect and mitigate the most common kinds of attacks facing financial applications today, including the attack vectors highlighted in the Open Web Application Security Project (OWASP) Top 10, and many other types of attacks. This lists the most common and important security risks against web applications with pre-defined rulesets to counter these web application vulnerabilities.

 

 

Benefits of application delivery controllers

For those seeking rapid compliance, an application delivery controller, such as the Progress Kemp LoadMaster load balancer, is flexible, quick to deploy and easy to configure through its intuitive web user interface. It’s available on all common hypervisors, can be found directly in the big public clouds and is available as a hardware appliance. It brings the benefits of making applications highly available, resilient and scalable, in addition to the security advantages outlined so far.

 

An international financial services business may even need a fleet of WAFs, with assets potentially spanning many disparate sites, countries and continents.

 

 

Resilience with web application cyber-security

Many businesses may find meeting the new requirements for PCI DSS v4.0.1 challenging. However, by upgrading their security tools, organisations are adding a critical security layer and elevating their security posture.

 

For many e-commerce merchants, meeting new guidelines is just another call for investment. However, in a continually evolving cyber-landscape, it will enable them to better secure their sensitive payment data and foster valuable trust with customers and stakeholders.

 

---

 

Kurt Jung is Principal Solution Engineer at Progress. The company has recently launched the SaaS-based LoadMaster 360 platform to simplify WAF configuration

 

Main image courtesy of iStockPhoto.com and Sergii Kolesnikov