Implement Zero Trust Principles in PCI DSS

Published on : 23 Nov 2021


Zero Trust Principles in PCI DSS

The situation of the COVID-19 pandemic has drastically changed the way companies work today in the current scenario. With many organizations still working remotely, it has exposed them to several new risks and cyber threats. Besides, the increased use of cloud platforms supporting various devices and networks has opened doors for attacks and account infiltrations.

Working in an uncontrolled environment with limited security measures in place turns out to be a completely different challenge for organizations to now deal with. Especially, retail businesses who have always been a soft target to sophisticated cybercrimes, find it challenging to ensure security and maintain PCI Compliance in the remote working scenario

However, implementing Zero Trust Principles in the PCI Compliance program will address this issue and ensure high-level security against various cyber-attacks. Zero Trust Principle is a proactive defense mechanism that strengthens and broadens the security perimeters to even the remote work process. #PCIDSS #Paymentsecurity Click To Tweet

It further helps ensure that organizations are compliant with various Data Security and Privacy standards. Elaborating more on this we have explained how organizations can implement Zero Trust Principles in PCI DSS and improve the compliance program. But before that, let us first learn a bit about the Zero Trust Principles and techniques of implementing them in the PCI Compliance program. 

What is the Zero Trust Principle? 

Zero Trust Principles is a defense mechanism that can strengthen the security posture of your systems and infrastructure. The security model works on a simple premise or assumption that your organization’s IT infrastructure and network are always hostile and exposed to both internal and external threats at all times. So, the security model works on “never trust and always verify” principles that ensure limited access that is further password-protected, verified, and authenticated. The architecture of this security model is based on the key principles around which the security measures must be implemented. 

Visibility

You need to have clear visibility of all devices, networks, systems, and user access granted to secure your organization’s IT Infrastructure. This requires you to understand the security posture of the entire Infrastructure including the firewall and antivirus status, OS patch, screen-locks, biometrics, encryptions, physical locks, implemented. Further, constant monitoring of these elements is crucial to secure the infrastructure thoroughly.

Such information will help build an inventory of all endpoint devices and further ease the administrative process for monitoring devices and addressing gaps in security systems. So, any case of unusual activity detected will get immediately flagged and tracking of all the activity will undertake in real-time. This will further facilitate comprehensive security checks.

Access Control

Zero Trust Principle calls for strict controls on access to critical systems, applications, and networks. The principle requires every device to be authorized and constantly monitored to ensure no device is compromised. Implementing stringent access controls is the key requirement in Zero Trust Principles. This helps minimize the attack surface on the network. Administrators must implement strict access controls and enforce the same through adaptive role-based access policies. This will help you stay ahead of the threat actors trying to gain unauthorized access. 

Access Verification

Zero trust means no trust without verification. So, verification is the key factor of security that must be applied to all critical assets, systems, and networks. You need to at all times keep a track of authentication and authorization of all access requests to ensure stronger security in your organization.

Implementing multi-factor authentication (MFA) security control is necessary to ensure the establishment of best security practices. Simply relying on passwords cannot ensure security in today’s evolving threat landscape. Constant monitoring and verification will strengthen the defense against the evolving cyber risks.

Least Privilege

Another significant zero trust principle is the least privilege access. This simply means providing users limited access based on their requirements and day-to-day roles and responsibilities. The permission granted for access should also be authenticated, verified, logged, and monitored constantly.

It is a widely adopted cybersecurity measure and an industry-best security practice that helps protect sensitive data and networks. Implementing least privilege is a fundamental step towards protecting privileged access to high-value and sensitive data and assets. This helps minimize the exposure to sensitive data and networks.

Segmentation

Zero Trust Principles call for segmentation or micro-segmentation of networks. To strengthen the security perimeter, it is important to set boundaries around networks that comprise critical data. So, this way perimeter-based security ensures the least visibility and access/traffic to the network. 

This helps monitor and track critical networks at granular levels and ensures strict security around them. This can further be backed by separate access controls established for privilege access. Such network segmentation also requires constant monitoring of granular access control to eliminate risk exposure and excess privileges. 

free consulting

How can Zero Trust Principles be aligned with PCI DSS? 

PCI DSS Compliance is a standard designed and established to ensure the implementation of maximum security for protecting sensitive cardholder data in the retail industry. Compliance with PCI DSS requires organizations to implement all the 12 requirements outlined by the PCI Council. However, in the evolving threat landscape merely implementing the 12 PCI DSS requirements will not suffice the security requirement. This is when and why integrating the Zero trust principles to seal the security controls to an advanced level is required. Explaining this we have shared how Zero Trust Principles can be applied to PCI DSS applied for ensuring maximum protection.

PCI DSS RequirementPCI DSS RequirementDescription of PCI DSS Requirements

Zero Trust Principles
Requirement 1- Build and Maintain a Secure Network.1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters

Organizations are expected to implement firewalls in every system and device that employees have access to including their personal devices that they use for work. Further, vendor-supplied default passwords are restricted to be used.

Based on the Visibility Principle, organizations must keep a track of every system and device used by all the employees and ensure the required firewalls are installed. Further, this should be monitored constantly and additionally ensured that the firewall implementations cannot be modified or disabled from the system and application by employees.

Additionally, based on the Access Verification principle, passwords set and used must be constantly verified and monitored with multi-factor authentication implemented.
Requirement 2 Protect Cardholder Data

3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks

Organizations must implement security controls that ensure maximum protection of cardholder data. this should be achieved through the process of encryption

As per the zero-trust principles not only should the organization keep a constant track of encryption status but also implement segmentation or micro-segmentation of the network to ensure the network is filtered and limited to only privilege access.

Requirement 3 – Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Organizations must not just install firewalls and antivirus on their devices and software but also monitor and track its regular updates.

The zero trust principle requires organizations to build an inventory of devices, applications, and software installed to constantly monitor them and ensure all software’s are updated from time to time.
Requirement 4 – Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data

Organizations are required to implement access control measures to ensure restricted access to sensitive data and networks. This requires assigning unique IDs and physical access controls to devices and systems.

While the access control principle calls for implementing security controls to ensure minimum access, but it also requires the organizations to verify, authenticate and constantly monitor the activities of users to whom the access is granted. Cross verification of access through authorizations and authentication is crucial. Besides, the Zero Trust Principle also calls for maintaining the least access privilege to role-based users and reviewing the privilege access policy from time to time.

Requirement 5 – Regularly Monitor and Test Networks10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Organizations are required to keep a track of access to networks and monitor them constantly. Further, security tests are required to be conducted to ensure the effectiveness of controls in place.

Zero Trust Principle requires constant monitoring and tracking of all the access controls and privilege access granted to users. The access granted should be authenticated, verified, logged, and monitored regularly to detect anomalies and for quick remediation. Organizations must maintain an up-to-date inventory of systems and configuration standards enforced on users working remotely.
Requirement 6 – Maintain an Information Security Policy

12. Maintain a policy that addresses information security for employees and contractors

Organizations enforce security controls through defined policies, procedures, and processes. The PCI requirement further calls for maintaining policies for employees, contractors, and even vendors having access to critical data.

As the Zero trust policy works on the principle of no trust without verification, your organization must accordingly develop an enforceable Zero Trust policy and procedure. This policy should ensure that organizations build a strong security control measure and not automatically trust the implemented access controls. Instead, there must be policies that back the process of verifying and authenticating the access granted to systems and networks.

Conclusion

The Zero trust principle strengthens the security control measures implemented as per PCI DSS requirements. It adds a layer of security to the PCI security control requirements. This further cements the defense systems of the organizations. Implementing these principles will also secure the organization against unknown internal threats that are often neglected.  Integrating Zero trust principles in PCI DSS significantly reduces the growing risk exposure and makes the compliance process more achievable. Overall, integrating PCI DSS and Zero Trust Principle provides an effective strategy for robust security and network resilience. 

Hope this blog was informative and helps your organization build a strong security defense.  Do share your feedback and thoughts on the same and let us know your opinion on the idea of integrating PCI DSS and the Zero Trust Principle. 

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.