As the average cost of a breach hits $4.45 million, regulatory authorities are driving more industrywide requirements to address growing threats. The critical role payment and financial services play in the global economy means companies in this industry will be some of the first mandated to comply. That’s why it’s no surprise that the Payment Card Industry Security Standards Council (PCI-SSC) is updating its Data Security Standards (PCI DSS) to meet an increasingly challenging threat landscape.
PCI DSS v4.0 requires significant additional cybersecurity investment across the board for merchants and service providers that accept payment cards, from mandatory implementation of automated attack detection solutions to protections against phishing attacks. And while the new additions to the standard signal a great step toward industrywide security improvements, the clock is ticking toward the final date to embrace these new rules. It’s crunch time, and implementation of PCI DSS v4.0 can feel daunting for those assigned the task.
Hackers Extend Teams to Simplify how Organizations Meet Select PCI DSS Requirements
When new requirements are released, taking stock of existing solutions can help the burden of compliance. A clear example for payment and financial services companies is the global ethical hacker community, which has been supporting the industry in the identification of vulnerabilities since the 1970s.
Ethical hackers assist organizations by hacking their digital infrastructure in good faith, to find elusive vulnerabilities and report them before bad actors exploit these bugs, and so they are well positioned to support requirements in PCI standards. Understandably, if an organization is unfamiliar with vulnerability disclosure best practices, they may be reluctant to engage a hacker — but this is an outdated perspective. With a proper plan in place, thousands of organizations worldwide already engage with the global ethical hacker community to simplify how they find and fix vulnerabilities.
Advertisement
Organizations can engage hackers by adopting a vulnerability disclosure policy (VDP) or bug bounty program. These digital “see something, say something” policies allow hackers to report vulnerabilities and help security teams find and manage vulnerabilities faster. While VDPs guarantee the organization has a plan, bug bounty programs go a step further by incentivizing ethical hackers through monetary “bounties” or rewards to find and disclose vulnerabilities to an organization in good faith. PCI DSS v4.0 recognizes this strength, with Section 6.3.1 of PCI DSS guidance explicitly calling out the use of “bug bounty programs” as a solution to meeting their requirement for identifying vulnerabilities.
First Mover Advantage: Masters of Compliance Look Beyond Current Mandatory Standards
PCI DSS v4.0 is not the first PCI SSC standard that discusses engaging external researchers. Several other PCI standards already mandate VDPs for applicable organizations. These include PCI’s Mobile Payment on COTS (MPoC, at 1A-1.2) and 3-D Secure Software Development Kit (3DS SDK, at T.4.4.4) standards.
Coordinated Vulnerability Disclosure (CVD), or the coordinated disclosure and handling of newly identified vulnerabilities in products and services, is increasingly recognized as a fundamental security safeguard in regulations, standards, and best practices. VDPs are a form of CVD, which federal agencies and many contractors are required by law to have.
Many organizations with stringent security standards, including the U.S. Defense Department, have already adopted and seen improvements in their security posture through VDPs. The Department of Defense has identified more than 47,000 valid vulnerabilities through its VDP to date.
Major companies that handle payment data, and thus must be DSS compliant, have also built hacker-powered programs for vulnerability discovery and management, including Visa, PayPal, and Goldman Sachs. These industry leaders have demonstrated the value of leveraging the ethical hacker community to identify and mitigate vulnerabilities.
Compliance Can be Overwhelming, but You’re not Alone
It may be crunch time for compliance with PCI DSS 4.0, but this updated standard is an opportunity to accelerate your journey toward proactive security. More than 200,000 common vulnerabilities and exposures (CVEs) are out in the wild, and it requires a dedicated community of thousands of security experts to compile them all; no single organization could complete this feat alone. Organizations within the payments and financial services sectors are no exception, as any single entity is connected to vendors and partners through its backend. An embrace of VDPs and bug bounties represents a simpler road to compliance and a safer internet for everyone.
[This article is based on a presentation called What To Do When a Hacker Comes Knocking, delivered by Ilona Cohen and Harley Gieger at the PCI North America and Europe Community Meetings.]
Ilona Cohen is Chief Legal Officer, Chief Policy Officer and Corporate Secretary at HackerOne. She is a mission-driven General Counsel and executive team strategist with extensive experience resolving complex and high-profile problems, improving operations and building and managing high-performance teams. Formerly an Associate White House Counsel and Special Assistant to the President, Cohen is now responsible for strategically overseeing all worldwide legal functions of cybersecurity SaaS company HackerOne, including B2B and FedGov contracting, product counseling, litigation, regulatory, privacy, intellectual property, employment, incident response and more.
