“Gartner Listed - mobile application security guide”

September 28, 2016

Privileged users and PCI-DSS

The 3.2 updates to PCI mobile app security testing show that protecting information assets is a key challenge for enterprises today. As IT operations are getting more complex, with cross-platforms, datacenters, identity and access management infrastructures and IT staffing, developing and maintaining a security compliant environment and mitigating risks is of utmost concern for IT managers.

Not only that, many companies need to meet compliance requirements of multiple regulations and standards such as PCI DSS, HIPAA, ISO 9001, ISO 27001; and industry specific requirements such as Graham-Leach-Bliley Act (GLBA), Federal Information Security Management Act (FISMA), et al. This has further made it more challenging for enterprises to integrate all regulations into one security posture.

All major compliance standards, however, have certain basic requirements ensuring security within a system. No matter which regulation you need to comply with all all users must be authenticated with their unique identities and limited in their access to privileged roles for sensitive data. Even with privileged roles, all logs need to be recorded and audited to ensure the safety of information.

Why you should audit privileged user activity?

  • To practice accountability required for compliance
  • To record and track user activity in case of suspicious behaviour
  • To be able to monitor in real time before a breach actually takes place
  • To remind disgruntled employees that all malicious activities will be recorded
  • To be able to put forth a clear record for evidence in case of disputes

How Does it Apply to Payment Card Industry?

Payment Card Industry Data Security Standard (PCI DSS) has laid down strict regulations and penalties for industries dealing with cardholder data. This is to make sure that service providers and merchants take the security and privacy of payment card data as their priority. PCI DSS 3.2 is going into effect from Oct 1, 2016 and consists of 12 requirements that need to be complied with by any enterprise that deals with storing, transmitting or processing cardholder data. All 12 requirements relate to PCI mobile app security testing and protection of payment cards.

Privilege Service and Server Suite (Standard, Enterprise, Platinum) have been specifically mentioned in the 3.2 revision of PCI DSS, as they help organisations achieve overall PCI DSS compliance and PCI mobile app security testing standards. They can help you with managing privileged user accounts, reduce PCI scope, manage access control, encryption when communicating between untrusted servers.

Key to consistent PCI app security and data security after achieving compliance is to maintain that compliance posture, this is where many organisations fail and is often the root cause of attacks.

Codified Security will help you to meet PCI-DSS mobile app security testing standards including 6, developing and maintaining secure software and applications, and 11 regularly testing security systems. To check whether there are PCI app security issues in your app please sign up to Codified Security.