Credit card fraud is a term used to denote fraud committed using credit or debit cards. Credit card fraud is often backed by stolen, unauthorized, leaked, or forced access to payment card information. Attackers commonly gain access to card information through skimming, social engineering, account takeovers, or application fraud. In many cases, system breaches and hacks at large corporations have exposed cardholder data of millions of people worldwide. An increase in the number of credit card fraud cases and cardholder data breaches brought prominent card brands together to form the Payment Card Industry Security Standards Council to increase cardholder data control to reduce fraud and data breaches.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards developed to ensure that all companies globally that accept, process, store, or transmit credit or debit card information maintain the safety of cardholder data. If you’re in the business of providing products or services online and process payments on your website or application using digital payment methods, your business must be PCI DSS compliant. PCI also has standards meant for software vendors and developers of payment applications called PCI PA-DSS to help vendors and developers develop secure payment applications that do not store prohibited data. Having your business or applications comply with PCI regulations delivers protection for your customers and you. PCI DSS provides measures that you can follow to foster secure transactions and mitigate the risk of debit and credit card data loss.
PCI DSS Requirements at a Glance
The standards and requirements listed by PCI for data security apply to technical and operational system components that are either included in or connected to cardholder data. The standards focus on achieving six key security goals with 12 specific requirements in total.
Here’s an overview of PCI DSS goals and requirements.
Goals | Requirements |
Build and Maintain a Secure Network | 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters |
Protect Cardholder Data | 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks |
Maintain a Vulnerability Management Program | 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications |
Implement Strong Access Control Measures | 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data |
Regularly Monitor and Test Networks | 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes |
Maintain an Information Security Policy | 12. Maintain a policy that addresses information security for employees and contractors |
How Apica can help with PCI DSS compliance
A quick look at the table above would indicate that having a log management or observability solution in place is not an explicit requirement for PCI DSS compliance. However, this list has several provisions that often require separate and proprietary tooling that you can quickly fulfil using a unified data platform like Apica. Additionally, the data convergence, monitoring, and management capabilities Apica provides make it extremely easy to meet PCI-DSS compliance requirements in several ways. The following sections describe exactly how Apica can help you get a few steps closer to complete PCI DSS compliance.
Protect Cardholder Data
Requirements 3 and 4 of the PCI-DSS standards mandate that you must protect cardholder data at all times. Some of the essential measures you should take to protect cardholder data include:
- protecting all cardholder information that you store
- encrypting the transmission of cardholder data across networks
Log data may not explicitly contain sensitive cardholder information. However, there is a possibility that some of that information could leak into your logs. In such situations, it is always easier to centralize your logs in a single place so that you can collectively encrypt and store that information. Apica is the only platform that uses S3-compatible storage as the primary storage layer, meaning that you could centralize your logs on Apica and encrypt and store them in a PCI-DSS compliant S3 storage service like AWS S3.
Mask sensitive information in logs
In the event sensitive cardholder data spills into your system logs, you wouldn’t want to keep them there at all, let alone for long. There’s always a good chance that your logs could include Personally Identifiable Information (PII) that can identify an individual, either on its own or in combination with other relevant data. With Apica, you can write powerful rules with custom regular expressions that match patterns in your incoming data stream and mask or replace these matched patterns before they move into your data storage layer. For example, suppose your log data contains credit card numbers. In that case, you can write rules using regular expressions that identify patterns that resemble credit card numbers and replace those strings with either randomized characters or a preset string.
Apica enables you to set up these rules to either scan incoming data and mask PII within them in real-time or scan all of your logs across your distributed data sources to identify and conceal them in bulk.
Implement Strong Access Control Measures
PCI-DSS requirements 7, 8, and 9 require implementing strong access control measures around accessing cardholder data. These requirements state that you should restrict access to cardholder data on a business need-to-know basis. You should also assign unique IDs to those with cardholder data access and limit physical access to this type of data. While Apica cannot help you directly adhere to these guidelines, it can let you know in the event of unauthorized access and give you the visibility you need to ensure that the access controls you’ve enforced are being followed.
By centralizing your logs and monitoring them on Apica, you can quickly identify instances of non-compliance before they become public knowledge. Apica’s built-in RBAC capabilities also enable you to set up role-based access to logs for your employees. By setting up RBAC, you can ensure that if some of your logs contain sensitive information, only those who need to know will be able to access those logs.
Regularly Monitor and Test Networks
PCI-DSS requirements 10 and 11 mandate strict monitoring for access to all network resources and regularly test security systems and processes. One of Apica’s core features is real-time monitoring and observability for distributed systems and environments. Using Apica, you can converge all of your authentication and access logs on a single platform and use this data convergence to track, monitor, and identify abuse and attempts at forced entry. Apica also ships with built-in Sigma rules that makes it a full-scale SIEM solution. Using Sigma rules, you can automatically augment incoming log data with relevant security-related events making it easier to detect threats to data security in real-time.
Sigma rules are crowdsourced and constantly updated with the latest threat signatures, therefore ensuring that you’ve got adequate coverage against the newest types of attacks and threats. Apica also lets you visualize threats in incoming data, trigger alerts to your alert destinations, and kick-off remediation and security workflows.
Identifying and Alerting on Suspicious Activity
Sub-requirements 10.6 and 10.8 of the PCI-DSS standards mandate that you should be able to identify and respond to intrusions and unwanted access to cardholder data. While Apica SIEM capabilities help you identify threats in real-time, its alerting engine lets you transmit alerts to any destination of your choice. Apica comes with native integrations with ITOM tools such as OpsGenie and alerting tools such as Slack, HipChat, PagerDuty, Mattermost, and ChatWork. You can also integrate Apica with your email client and use webhooks to integrate with any alerting or IT automation platforms of your choice. You can leverage these native and custom integrations to trigger threat remediation and security workflows, thereby making you better equipped to deal with threats and intrusions in real-time.
In-depth Auditing and Reports
PCI DSS also requires you to generate in-depth data access reports and prove that you’re consistently following your data security practices.
Since logs are the best way to confirm continuous compliance, Apica automatically enables audit logging for all of your incoming data. Apica also has robust reporting capabilities that allow you to create ad-hoc reports on historical data. You can schedule the generation of reports with a built-in CRON job that runs periodically. For example, you can generate monthly reports listing all IP addresses that generated an invalid login attempt within any system or application.
Apica’s use of S3-compatible storage as the primary storage layer ensures that you not only store your logs for as long as you wish (without paying an exorbitant price for storage) but also have all of your stored data indexed and searchable. This means that you can generate reports that stretch way back into the past instantaneously, thereby making sure that your auditors have visibility over continuous compliance way back into the past.
Conclusion
Compliance with PCI DSS, or any other regulatory framework, may seem daunting to achieve but isn’t necessarily so. You may think that you’d need an entire arsenal of specialist tools to ensure that you’re staying compliant. However, tools like Apica provide an easier and more efficient way to achieve compliance while keeping your spending at a minimum.
Apica is the only data platform that solves the SCATTR (Scale, Convergence, Agility, TCO, Trust, and Retention) problem in data management. Most log management solutions may only help you meet a couple of PCI DSS requirements at best – that too, in conjunction with other tools or services. Apica helps you not only converge and manage your log data but also;
- secures and conceals sensitive cardholder information
- creates, manages, and governs data access using policies
- continuously monitors and assesses your systems and networks for performance and security
- alerts against threats and automates remediation
- audits your data and generates ad hoc and in-depth reports to prove continuous compliance
Getting started with Apica is easy and inexpensive. With SaaS and PaaS plans starting as low as $0.33 per GB per month, Apica can meet any budget. If you’d like to try out Apica, sign up for a 14-day free trial of Apica SaaS, or deploy the free-forever Apica PaaS Community Edition on any infrastructure of your choice.