Advertisment

Protecting card data with privileged access management controls

Cybercriminals are always on the lookout for ways to exploit privileged credentials, as these credentials often provide them with access.

author-image
PCQ Bureau
New Update
Protecting card data with privileged access management controls

Cybercriminals are always on the lookout for ways to exploit privileged credentials, as these credentials often provide them with access to sensitive data and systems. During the holiday season, when employees are more distracted and the pace of work is faster, the risk of cyber attacks increases.

Advertisment

India is one of the fastest-growing e-commerce markets, with growth from small towns as well as cities. Thanks to the availability of low-cost Internet and improved logistics infrastructure in Tier2and Tier3 cities, the Indian e-commerce sector is growing at a phenomenal pace.

The growth in e-commerce can also be attributed to the change in shopping habits due to the Covid-19 pandemic and the lockdown that came with it. Most Indians became acquainted with the benefits of online shopping during the pandemic, and this habit continues even today and is preferred by many. A report by Bain and Flipkart, ‘How India Shops Online 2022’, states that the e-commerce market is expected to reach $50 billion in 2022. The report says that rising affluence in the country will fuel consumption and increase shopper spending, with India’s e-retail market estimated to grow to $150–$170 billion by 2027. This is a 25%–30% annual growth and a doubling of market penetration to 9%–10% over the next five years.

While these numbers are impressive, this growth can drop drastically if the industry does not take serious steps to address the issue ofonline fraud. For instance, according to the annual report by the RBI for the year ended March 2022, card and Internet fraud surged to a whopping $1.55 billion in 3,596 cases, compared to $1.19 billion in 2,545 cases in the same period a year ago.When e-commerce sales or online sales surge, payment fraud correspondingly increases.

Advertisment

If you are an organisationthat handles credit or debit card information, now is the time to revisit the Payment Card Industry Data Security Standard (PCI DSS) guidelines so that you can protect your organisation, safeguard customer data, preserve trust and avoid hefty penalty fees.

PCI DSS compliance goals

Retailers, processors, service providers and other businesses that accept major payment cards and store, process or transmit cardholder data electronically must follow the PCI DSS guidelines and provide annual evidence of compliance. The global security standard aims to protect all parties involved in online transactions from damaging cyberattacksby safeguarding cardholders’ confidential data and mitigating security vulnerabilities and risks such as unauthorised data access and disclosure for merchants.

Advertisment

PCI DSS 4.0 is the latest version published by the Payment Card Industry Security Standards Council, the standard’s governing body. It defines six principal goals and 12 high-level requirements and best practices for securing the network and system infrastructure and protecting confidential cardholder data.

As part of these goals, PCI DSS defines strong access control measures and multifactor authentication (MFA) methods to help prevent threat actors from breaching IT systems and stealing confidential cardholder data. Notably, the standard requires merchants to monitor and control access to all administrative accounts on point-of-sales (POS) terminals and other systems that manage cardholder data.

Addressing Key PCI DSS Requirements with strong Privileged Access Management Controls

Advertisment

Cybercriminals routinely look for ways to exploit privileged credentials — including those for administrative accounts on IT systems that handle credit card and debit card transactions — to orchestrate attacks and steal sensitive data. Especially during the hectic holiday season, distracted workers, lax credential management practices, and error-prone manual security processes provide them with ample opportunity.

Because of this, PCI DSS recommends merchants to consider using a privileged access management (PAM) solution to restrict access to privileged accounts and defend against data breaches. Cloud infrastructure entitlements management (CIEM) solutions help organisations reduce excessive permissions across systems hosting data in their cloud environments — satisfying another key PCI DSS requirement to implement least privilege access.

Privileged access management controls work in concert to improve visibility and control over privileged accounts, isolate and monitor privileged sessions and help prevent unauthorized access.

Advertisment

These controls provide the foundation for a comprehensive Identity Security approach and the key to satisfying the following PCI DSS requirements:

  • Build and maintain a secure network by helping to isolate privileged sessions
  • Protect IT system data by securing credentials and secrets used by people and applications and protect cardholder data by updating and rotating credentials and secrets automatically based on policy
  • Maintain a vulnerability management program by defending against malware that exploits privileged accounts and prevent malware from spreading across systems
  • Implement strong access controls by enabling least privilege access and tracking privileged activity
  • Regularly monitor and test networks through monitoring capabilities that provide real-time visibility into live events; use threat analytics to identify anomalies and suspicious activity and use audit logs to provide historical records of privileged activity
Protecting card data with privileged access management controls 1

Protecting card data with privileged access management controls 1
Advertisment

PCI DSS helps protect merchants by reducing security vulnerabilities and mitigating risk, and it helps protect consumers by safeguarding confidential cardholder data and defending against fraud and abuse. If your business accepts major credit cards or debit cards, you must adhere to the PCI DSS specifications and provide annual evidence of compliance. PAM solutions can help you improve your security posture and satisfy key PCI DSS requirements by gaining better visibility and control over privileged accounts. PCI DSS recommends merchants use PAM solutions to restrict access to privileged accounts and defend against data breaches. By embracing an identity security strategy centered on intelligent privileged access management controls, organizations can strengthen their overall security posture and protect confidential data.

Sumit Srivastava Solutions Engineering Manager India SAARC CyberArk

Sumit Srivastava Solutions Engineering Manager India SAARC CyberArk

Author: Sumit Srivastava - Solutions Engineering Director - India at CyberArk

Advertisment