PCI DSS 4.0 and its impact on FinTech and client-side security

Payment data, particularly on the client-side, is extremely vulnerable. PCI DSS 4.0 hopes to bring more protections, but what will its impact be? Feroot Security CEO Ivan Tsarynny has some thoughts.

The new regulation will fully come into effect on 31 March 2025 and marks the first major update to the standards since 2013. The PCI Security Standards Council has offered several options to ease compliance. As a result, PCI DSS v3.2.1 will remain in place until March 2024 so firms can take time to grasp the necessary changes. There is an additional year for organisations to implement new requirements identified as best practices and for assessors to complete training.

Despite the implementation being a long time away and a great level of flexibility, Tsarynny urged companies to “start now.” The reason is it requires pre-planning and early implementation to meet the deadlines. The changes to the regulation are substantial and cannot be rushed nearer the deadline.

Tsarynny outlined several of the new requirements that will take a lot of resources to implement. For example, Requirement 1 requires organisations to support a broader range of technologies to meet security objectives, which were previously achieved by firewalls in PCI DSS 3,1. Requirement 3 has multiple new sections around managing sensitive authentication data and primary account numbers, while Requirement 6 has several new sub-requirements that will significantly impact how businesses identify, inventory and manage scripts operating in web browsers that collect payment information.

The final ones outlined by Tsarynny were Requirements 12 and 13, which expand the compliance score and make compliance continuous. They also include an expanded risk analysis for any custom controls and require merchants and service providers to conduct annual reviews of hardware and software technologies. These changes cannot be implemented effectively through the flip of a switch.

The regulation also puts emphasis on the client-side of operations, which has its own set of challenges to overcome. One example of this offered by Tsarynny related to Requirement 6, which impacts how firms maintain bespoke and custom software inventories, deploy automated technical solutions for public facing web applications and execute in a customer’s browser. Tsarynny said, “If you’re a mid-size to larger business with thousands of client-side scripts, you need to prepare for how you inventory and securely manage those scripts in order to demonstrate your processes through assessments to your Qualified Security Assessors (QSAs).”

With a nine-year gap since the last major version of PCI DSS, infrastructure within companies has completely changed. For example, wider use of cloud platforms, web applications and third-party software suppliers and more reliance on the software supply chain, Tsarynny said. All these need to be accounted for in security frameworks. On the other side, criminals have also evolved their tactics and methods over the years. Then there is the pandemic, which has pushed more people to buy products online.

The impact on FinTechs and client-side security?

Tsarynny iterated that PCI DSS is the “gold standard” for how financial services and businesses manage and protect sensitive credit card holder data. As a result, this update is going to send big shockwaves in the sectors.

He said, “PCI 4.0 significantly expands the compliance scope by placing more emphasis on risk analysis and organisational governance. Compliance activities are no longer limited to once annually. Now, businesses will need to engage in compliance continuously. In addition, organisations will be required to produce more security documentation. And regular assessments by QSAs will place any PCI 4.0 activities under added scrutiny.”

Whenever there is change, it is easy to forget the bigger picture and the positive impacts they can have. But PCI 4.0 brings plenty of positive change. “Security personnel are always hearing about how “threats are growing,” and at the risk of sounding like a broken record, client-side security has been ignored for so long that Magecart, formjacking, and other skimming-style attacks are rapidly growing,” Tsarynny added. “As FinTech companies begin to fully embrace PCI 4.0, first as best practices, and then as codified processes and standards, we will begin to see some really positive impacts when it comes to protecting both the cardholder data environment (CDE) and the actual cardholder data.”

A custom approach

To offer greater flexibility, there is a new customised approach to implementation. This allows mature firms to make their own controls if they correlate with the objective of each requirement.

This method is an extension of an allowance in PCI DSS 3.2.1, which allowed organisations that could not meet controls to provide alternatives and justify them with a risk assessment and detailed compensating control worksheet (CCW). In PCI DSS 4, companies can still do a risk assessment and a CCW, but they can also opt for a customised control approach.

“The benefit to this is that it gives more mature organisations flexibility when it comes to complying with PCI DSS, while building systems, processes, and controls that address the changing threat landscape and evolving technologies,” Tsarynny added. “It also creates longer-term security controls, rather than short-term compensating controls.”

Another benefit of this customised approach is it is better placed in an unknown future.  Tsarynny stated “you don’t know what you don’t know,” and the threat landscape and technology available will likely be very different by 2025 when PCI DSS 4is in full effect.

However, Tsarynny believes the custom approach will only be utilised by companies that are already compliant with PCI DSS 3.2.1 and have teams in place to assess the requirements and implement a customised compliance process.

Payment data is extremely vulnerable

Despite the level of protections in place, firms are still at risk from criminals.  Tsarynny said payment data is extremely vulnerable due to the use of JavaScript and a lack of knowledge around client-side security. “JavaScript is the predominant code that all web applications use—in fact, 98% of websites use JavaScript. But there are multiple problems with JavaScript. First, it was never built with security in mind, so it is easy for threat actors to access and manipulate it. JavaScript is also easy to code, enabling beginners or developers with little or no knowledge of security to create fractured and vulnerable client-side applications, which then become easy targets for threat actors.”

As for client-side security, Tsarynny said that a lot of businesses have ignored this problem in favour of server-side threats. These include ransomware and APTs. The trouble is, most web application firewalls do not protect against supply chain attacks, sophisticated skimming malware, drive-by skimming, or sideloading and chainloading attacks, he said. Similarly, with payment data, companies focus on the back-end threats rather than front-end issues.

This is why the updated PCI DSS regulation is needed. It will help organisations become better at protecting data on multiple levels. The new regulation will broaden the score of card data security. Tsarynny added, “It also presents a more adaptive framework for entities that have mature cybersecurity and compliance systems in place, to enable them to address changing technology and threat concerns. And PCI DSS 4.0 enables smaller businesses to comply by ensuring the traditional requirements are accessible”

With so many changes, it begs the question of if this is a revolutionary step for payment security. While Tsarynny agreed it is a big change, he sees it as more evolutionary than revolutionary.

How Feroot can ease the burden

While support is there, like most regulations, it is easy to be overwhelmed. Feroot offers security tools so firms can quickly meet client-side requirements.

One of the areas where Feroot really makes a difference is with the requirements around identifying and creating an inventory of all scripts required as part of the PCI DSS Requirement 6. Inspector, Feroot’s client-side attack surface monitoring tool, secures customer data from exfiltration through client-side attacks. It reduces manual code reviews through automated ‘synthetic users,’ crawling sites and applications, and automatically mapping, monitoring, and logging the client-side attack surface to detect abnormal application behaviours.

Its PageGuard tool blocks unauthorised and unwanted behaviour in real-time across an organisation’s web assets, preventing cardholder data exfiltration. Its DomainGuard leverages automation to identify first and third-party scripts, digital assets and data access. It then builds appropriate security policies, with easy monitoring, management, version control and continuous enhancement.

What makes Feroot’s tools special is that it applies automation and AI in the form of synthetic users. Tsarynny explained that the synthetic user technology in the Inspector tool is disguised as honeypot customers which imitate real user behaviour. These fake users can complete a range of user tasks, such as log in, web forms, purchases, and other activities end users would do. This helps uncover what applications and scripts are running on certain web applications, what data third parties can access and if these players can manipulate or utilise sensitive data in an unauthorised manner. Once revealed, PageGuard blocks the behaviour in real time across all a company’s web assets.

Tsarynny added, “The challenge with traditional client-side security approaches is that there are too many businesses out there that are still using client-side tools and technologies that no longer protect against the risks associated with the software supply chain, cloud platforms, and an evolving threat landscape.” Companies are relying on old technology that cannot adapt and protect them from the latest threats in the market.

“Businesses have done a fantastic job protecting their networks from threat actors trying to access and steal sensitive data,” Tsarynny added. “Yet somehow, almost every day, we’re still reading about data breaches. What companies don’t realise—because it isn’t always reported on—is that not all of these breaches are happening on the back end. Quite a few of them are also happening on the client side. And without adequate client-side protection, these data breaches are going to keep happening.”

He urged cybersecurity professionals to be focused on protecting and defending customers and their data. Meeting compliance with PCI DSS 4.0 will help firms do this to a certain degree.

Tsarynny concluded, “Use the next few years to establish the PCI 4.0 best practices. Evaluate your current PCI DSS compliance level. Audit your assets and automate as much as you can using the latest tools and technologies that are designed specifically to support PCI DSS.”

Thoughts on changing this to ‘businesses’? From a FinTech perspective, it isn’t just retailers that are impacted by PCI DSS – it is any organization that accepts credit cards, so this include financial organizations, retailers, media and entertainment, and even healthcare and cryptocurrency exchanges.

Feroot was named in this year’s CyberTech100, a list highlighting the must-know companies in the sector. Find the full list here.

Copyright © 2022 FinTech Global

Enjoying the stories?

Subscribe to our daily FinTech newsletter and get the latest industry news & research

Investors

The following investor(s) were tagged in this article.