PCI 4.0 Demands Automated Security Measures 

Lately, we’ve been talking a lot about the increasing role of automation in cybersecurity and compliance. There are so many significant advantages in our field – helping to identify and respond to threats faster, in addition to scaling cybersecurity measures as businesses grow.   

Right now, we are in a transition period as companies adopt the standards set out in the new PCI DSS 4.0. Some of the notable requirement changes in this version recently released by the PCI SSC include automation. This means that, in order to comply with PCI controls, it will now be necessary to implement automated processes. And we expect this to become the norm with most frameworks moving forward. 

And it’s not just us – even Gartner is on board, predicting that “by 2025, 50% of enterprises will use artificial intelligence and automation for managed Detection and Response (MDR).” So, it should come as no surprise that the new PCI DSS 4.0 guidelines, which were released this June, have a strong focus on automation. 

Related article: How Automation Became a Critical Tool in Cybersecurity Compliance. 

What Should Be Automated According to PCI DSS 4.0? 

Not all of these are explicit PCI compliance requirements at this point, but these are the cybersecurity industry best practices when it comes to protecting cardholder data in the quickest and most accurate way. 

Log Reviews 

One example is reviewing logs. We used to be required to review logs manually; now, PCI 4.0 requires that logs actually subject to automated reviews of the logs. The updated regulations recognize the importance of continually monitoring activity in order to better safeguard credit card and financial data. 

Automation makes it possible to run daily log reviews and spot irregular activity on servers and network devices. Plus, this gives us more computing power, making reviews more consistent and accurate. Ultimately, automation eliminates any manual issues, inconsistencies from person to person, and simple human error. 

Attack Detection 

Other new criteria laid out in PCI DSS 4.0 states that public-facing web applications must have an automated technical solution in place to continuously detect and blocks web-based threats in real-time. The option in Requirement 6.4.1 to ‘review online applications using manual or automated application vulnerability assessment tools or techniques’ has been removed by this new requirement. This change demonstrates the urgent need to implement automated web application solutions for vulnerability assessment that help teams to respond to incidents and fix issues. 

Micro Network Segmentation 

In previous versions of the PCI DSS, companies were only required to segment their cardholder data environment (CDE) if it was “deemed necessary.” Now, with PCI 4.0, this has changed – all companies must segment their CDE unless it can be validated that it is not possible. And, if your organization is using virtualization technologies in the CDE, these must also be segmented. 

The best way to achieve this requirement is through micro-segmentation. Micro-segmentation is a security technique that involves dividing a network into smaller subnetworks, or segments. This limits the spread of malware and other threats, containing them to a smaller area and making it easier to identify and isolate the source of the attack. Plus, with micro-segmentation, you can granularly control access to applications and data, further reducing the risk of a breach. If a breach does occur, your team can quickly identify which systems are affected and take steps to contain the damage. 

Micro-segmentation can be implemented manually, but this is not recommended. It’s much simpler and more effective to use an automated solution that can quickly segment your network into smaller, more manageable pieces. 

Security Updates 

Simply put, the new PCI DSS version requires that updates for things like anti-malware systems are performed automatically. 

Mitigation 

It is crucial to incorporate procedures that enable quick reactions to alarms sent by automated technical solutions when deploying them to decrease risk and mitigate attacks. Ways to automate mitigation include rate-limiting measures that can be put in place to prevent brute-force and enumeration attacks, auto-detection of misconfigurations, and behavior-based detection to block suspicious traffic on an organization’s web applications and APIs.  

Related article: All About the Changes Introduced in PCI DSS 4.0. 

What’s Next? 

The new PCI DSS 4.0 guidelines are just the beginning – we expect to see more and more frameworks and regulations moving toward automation in the coming years. Automation offers a number of benefits, including improved security, efficiency, and accuracy. As we move into this new era of compliance, it’s important to partner with a firm that specializes in automation.  

Learn about I.S. Partners’ compliance automation solution and our PCI 4.0 Readiness Program. 

About The Author

Joe Ciancimino

Joe is a Director in the I.S. Partners SOC practice. He is a Certified Information Systems Auditor (CISA) and Certified in Risk and Information Systems Controls (CRISC) practitioner and a member of the ISACA Philadelphia Chapter. Joe has been performing IT audit and attestation services for the last 6 years and continues to assist clients in performing a variety of engagements. These include System & Organization Controls (SOC) Reports (SOC 1/SOC 2), Information Technology and Information Systems Audits, IT General Controls / IT Application Controls Testing, ISO/IEC 27001:2013 Internal Audit/Compliance, Internal Audits on a outsourced/co-sourced basis