PCI As A Best Practice and How It Can Help Your With Ransomware and Emerging Cyber Threats

Ransomware attacks are in the news more than ever, with many high-profile organizations in both the public and private sector finding themselves the victims of serious security breaches that have resulted in catastrophic disruptions to operations, compromised customer data, and monumental financial losses, not to mention the resulting PR nightmares. Ransomware attacks are a moving target that keeps evolving and getting more aggressive and sophisticated and everyone is vulnerable. Depending on who you ask, the average ransomware demand is anywhere from just under $2 million to more than $9 million dollars, so the immediate financial consequences can be severe as well, to say nothing of the potential long term consequences to the organizations affected.

Combating ransomware and protecting yourself against being a target requires a holistic approach that requires the co-operation and involvement of your entire organization. The days when issues like these can be simply referred over to the IT department and otherwise forgotten are over. Even if you out-source your security to a 3rd-party or parties, it is incumbent upon you to ensure that that they are conversant with the latest in security procedures and are certified accordingly.

As part of this ongoing conversation, Datatel’s CEO Barnard Crespi partnered with Steve Porter, founder and President of Secured Net Solutions in an interactive Fireside Chat webinar to discuss How PCI Can be utilized as A Best Practice and how it can help YOU with Ransomware and Emerging Cyber threats.

What follows is an article that distills and summarizes the main points covered in the Fireside Chat webinar as well as a video of the chat itself. In addition, the actual questions that were asked are posted below along with a notation of where exactly in the video that the question is answered.

Why do you think is important to talk about PCI and Ransomware together?

(starts at 1:47)

PCI Compliance is a standard that companies that accept credit card payments for goods and services are required to adhere to. However as often as not, companies will deploy and adhere to PCI practices when it comes to that specific aspect of their operations, but no further. As explained in the webinar however, PCI – properly understood – can be used as the basis for improving and tightening security across different networks within an organization as a means of reducing the likelihood of being the victim of a ransomware attack (or if you nonetheless do become a victim, at least limiting its severity).

Talking about PCI in the context of a discussion regarding combating ransomware actually makes a great deal of sense. While PCI is specifically a set of standards and regulations regarding payment security, a broader interpretation is that it can double as simply a collection of best practices and security control. The fact that it is a widely known standard makes it easy to adapt – at least in part – to other, non-payment related security practices as well.

How can businesses who are implementing PCI can use this framework to protect themselves against ransomware?

(starts at 3:13)

Using a framework like PCI & HIPPA is a good guideline or starting point when comes to improving an organizations security across the board. For those that already have a mature security model it’s a good way to look at the checklist and ask some pertinent questions such as – Are we following everything on the PCI checklist? Should we be doing this across the organization or just that part or those parts that are required to adhere to PCI guidelines? Should we be using PCI controls – for e.g. advance endpoint security, web filtering, email filtering – for the entire organization or just those parts that are required to be PCI compliant?

What would you say are the most obvious and useful aspects of PCI that can be transposed to the everyday corporate environment?

(Starts at 5:38)

To do so need not be nearly as daunting as it might appear on the surface. Currently, the PCI DSS consists of approximately 360 or so requirements (PCI 4.0 which is slated to appear in early 2022 may contain more). Applying all of these to an entire business is likely not necessary however, just the ones that make sense in the context of the nature of the rest of the business’s activities.

A good example for illustrating this point is PCI DSS #5 (the requirement to protect all systems against malware and regularly update anti-virus software or programs). Endpoint security can and should be a priority in all aspects of one’s business, not just those that are required to be PCI compliant. Does your endpoint protection plan have advanced ransomware protection features built in? If the product you are using is more than 3-5 years old then it probably needs an update because it may not detect the latest forms of ransomware. If you are already doing this for your regular PCI environment then why not the rest of the business? Likewise, if you already deploy web and email filtering on the PCI side, it does not require all that much in the way of extra effort to leverage most of these controls across your entire network in most cases.

Some of the more obvious and useful aspects of PCI that can be transposed to the everyday corporate environment include enhanced training that stresses the human factor involved in PCI practices as well as those modelled on PCI. It’s important that employee training is mirrored across the organization, otherwise combatting ransomware will remain a hit and miss proposition.

Training needs to continuous and kept up to date without it becoming repetitive and boring. Keep in mind as well that there are departments that will either by necessity or common practice more vulnerable than others when it comes to employee-enabled security breaches. For example, HR departments would find it hard to do their jobs if they weren’t able to open files containing resumes and other related attachments.

When deciding on what kind of training to implement you may want to look at current trends in phishing as a means of determining what the common campaigns are, as these are the sorts of things that can be used to test and train staff – for example, within the past year there have been a lot of Covid-related phishing scams. One way is to copy typical campaigns that phishers use, however don’t overdo it – once a year training may be too little, once a month may be too much – it depends on the organization.

When it comes to security there are multiple layers. If hackers get through the 1st couple of layers it can cause some inconveniences and disruptions in varying degrees. However, if they get through more than that though the level of damage increases. In addition to good endpoint security and phishing protections, policies and procedures that look for anomalies in your system activities are an effective way to detect suspicious activity. For example, ransomware will typically attempt to encrypt ALL of your sensitive files in a very short period of time. This is not normal activity as your staff is not typically doing this sort of thing as part of their day-to-day activities. Endpoint security blocks people from innocently opening what may be suspicious files until a more senior administrator has had a chance to examine and determine that it is ok.

One of the business sectors that has seen significant uptick in ransomware cases recently is the healthcare sector. Notwithstanding the fact that these organizations typically pay close attention to PCI, there are specific other factors that are unique to healthcare providers that makes them especially vulnerable to cyber-attacks.

Healthcare: We have seen significant uptick in the Ransomware cases in the healthcare sector, and typically these are organizations that pay close attention to PCI. What’s unique about the healthcare providers that makes them so vulnerable?

(Starts at 16:49)

One of the challenges that healthcare providers face is that many of them have very flat or unsegmented networks – i.e. all devices are connected with few boundaries or controls. Some of this is deliberate because when it comes to patient care, efficiency and speed in accessing data is important (and often life-saving), as well as the ability to remote monitor medical devices such as pacemakers, glucose meters, CPAP machines and so on. However when multiple people need to be able to access this information it also makes these devices vulnerable to hacks.

When it comes to their specific PCI environments, healthcare providers tend to do a better job and this is where they focus their controls, however such controls are often not duplicated elsewhere. Typically healthcare industrial control devices are old and can’t be adapted to modern controls and this renders them exceptionally vulnerable. The larger the organization, the more devices are always being added to the network and healthcare organizations can’t always control for security at the device level. Those healthcare organizations that have been ransomware victims recently were likely missing patching, end-point security was not up to date, there was excessive permissions and access between servers, and not a great deal of visibility re: what is happening in their networks.

For organizations who have taken the approach of managing PCI by shifting risk to a third party. What would you recommend is a good starting point?

(Starts at 29:09)

If you have outsourced your network security –payment or otherwise – to a 3rd party it’s still crucial that regular risk reviews are being conducted. More and more organizations are starting to take security more seriously and that includes scrutinizing vendors more closely. Whether you outsource your security or do it in-house, cyber insurance companies will ask you for details as to your security policy and what is currently being done to prevent security breaches.

When using PCI as a framework that doesn’t mean using PCI literally – for example, where it references cardholder data you can simply replace with sensitive data or some similar phrase and figure out what that means for your environment. Looking at the requirements in that light and applying them to whatever blocks of sensitive data that you don’t want to be compromised by ransomware is an effective way of adapting PCI standards to those areas not subject to PCI compliance requirements. If you’re looking for a simple catchphrase that sums up this approach, then PCI for PII (Personal Identifiable Information) embodies the relevant principle very effectively.

One thing that is certain is that ransomware is here to stay for the foreseeable future. Ransomware is really not all that different from old-school viruses and malware that have been around for many years. The big difference is in the payload. In the past, malware was just looking for specific pieces of data (like passwords). What today’s ransomware seeks to do however is encrypt ALL of your sensitive files within a very short period of time. However, there are steps that can be taken right away if you are a new business and/or are just becoming more focused than before on cyber-security.

For organizations who are just getting services started with PCI Where is a good place to start for next steps?

(Starts at 33:47)

If not already doing so, start with Gap Assessments – have an independent 3rd party do a security assessment that focuses on both the technology currently being used as well as the policies that are in place and provides recommendations for both. Think big picture – for example if you already deploy PCI in some areas then see how can they can be applied elsewhere.

PCI gives you an edge because it really does focus on sensitive data – though PCI is focused on credit-card data the basic principles can be applied to data of all kinds. If you are doing PCI already in those areas within your organization that require it then it’s easier to apply it elsewhere.

As part of the process, ensure that you partner any outside security team with your internal team. It’s VERY important to do an independent assessment even if you have an experienced internal security team, as the more input the better and more thorough will be the results. Moreover, even really large companies often have very small internal security departments that find it hard to keep track of everything that is happening across the various networks and could benefit from outside assistance.

Make no mistake, in today’s environment EVERYONE is susceptible to being the responsible for a security breach, from an entry level employee all the way up to the CEO. Protecting against ransomware requires a partnership among all stakeholders within in an organization not just IT/IT security. As already mentioned, security is not exclusively an IT issue anymore and everyone needs to be aware of what the dangers are and how they can do their part to combat malfeasance. PCI provides a framework for doing so and its key precepts are easy to explain, understand and adapt, even for people without a tech or IT background.

We’re Here to Help

What our clients are saying about us

“Never any issues with you guys! Things just work.”

Gerry Henstra, CEO, Henstra Business Solutions

“Customer service is a really big deal to us, and I am glad to do business with a company that obviously takes it as seriously as we do.”

Jeff Boatman, Global Client Solutions

“We’re happy with the IVR Payment system and it has been working well for us. Recently we also setup your newest SMS (text) receipts and found it to work great.”

IT Manager

“I want to command you and your team at Datatel on the job just completed for Tele-Response Center. The attention to detail and professionalism with which you approached the project was exemplary and greatly appreciated especially considering the several applications that needed to be implemented on short notice. Thanks again for your assistance getting this project off the ground so smoothly.”

Joe Grossman, Sr. Vice President, 121 Direct Response

“My team and I would like to commend Datatel on creating an IVR application that adds great value to our new Travel product. Your knowledge, input and expertise in IVR scripting, call flow management and overall IVR logistics made the development and implementation stages extremely easy to manage. Thank you for a well executed campaign that was launched on time and on budget.”

Ryan McCullough, Marketing Manager, Aegon Direct

“Great team to work with. I look forward to utilizing some additional capabilities in the future.”

Bob Griffin, VP of Operations, MedA/Rx

“We are very grateful for many years of mutually beneficial business relationship with Datatel and for impeccable customer service we have received during these years.”

Director of Student Accounts

“We, Standard Life, very much appreciated Datatel’s expertise, knowledge and support as we worked through the development and implementation stages. Our Clients appreciate the simplicity of the capability, while gathering very valuable feedback. Thanks for making this a very positive experience.”

Anne Pennell, VP, Customer Services Operations, Standard Life

“This was one of the best implementations I have been a part of. The communication was excellent and everything was responded to and dealt with swiftly. A real pleasure. We are looking forward to the impact this will have on our patient payments! Thank you!”

Kim Pace, Director Patient Accounts and Revenue, Chatham-Kent Health Alliance