Protecting Sensitive Data from Insider Threats in PCI DSS 4.0

Have you heard the phrase “the enemy within”? It perfectly describes an insider threat within an organization.

An insider threat is a security risk that originates from individuals within an organization, such as employees, former employees, contractors, or business associates. These individuals have access to sensitive information and knowledge of the organization’s security practices, data, and computer systems, which can potentially be used to cause harm.

Insider threats are dangerous and pose a risk to an organization. These include:

• Malicious insiders: These are individuals who intentionally cause harm to the organization, such as stealing sensitive information or sabotaging systems or data.
• Negligent insiders: These are individuals who unintentionally cause harm to the organization, such as accidentally sending sensitive information to the wrong person or failing to follow security protocols.
• Compromised insiders: These are individuals whose accounts or systems have been compromised by an external attacker, allowing the attacker to carry out malicious activities from within the organization.

Real-life Example of Intentional Insider Threat:

Insider threats can severely affect sensitive data, making the payment card environment a soft target. Organizations that offer payment services must adhere to Payment Card Industry Data Security Standard (PCI DSS) to ensure security and compliance. This latest version of the Standard improves security, simplifies compliance, and keeps pace with new technology.

In the context of PCI DSS, insiders can include employees, contractors, or business associates who have access to sensitive payment card information. To protect against threats, organizations should implement measures to keep data safe. For example, a malicious insider could steal payment card information and sell it on the black market, while a negligent insider could accidentally cause a data breach.

PCI DSS v4.0 has the same six goals and 12 requirements as its earlier version but also includes significant updates to compliance assessments to keep up with new technology.

Requirement 12.5.2 of PCI DSS 4.0 states that organizations must document and confirm their PCI scope annually and upon significant changes to their environment. This includes identifying all data flows, system components, segmentation controls, and connections from third parties with access to the cardholder data environment (CDE).

While this requirement does not specifically mention insider threats, it is important to note that PCI DSS as a whole is intended to protect against all threat actors, including insiders. By documenting and confirming their PCI scope, organizations can ensure that they are aware of all potential areas of risk and can take appropriate measures to protect sensitive data, such as implementing security policies and procedures for all personnel as outlined in Requirement 12 of PCI DSS.

Defining roles and responsibilities is crucial for protecting sensitive data from insider threats under PCI DSS 4.0 compliance. Organizations should clearly document and assign the roles and responsibilities of all personnel involved in PCI DSS compliance, including IT staff and employees in other departments who handle or have access to cardholder data. By ensuring that these roles and responsibilities are understood, organizations can reduce the risk of insider threats. Additionally, providing training and education can help create a culture of security and further prevent insider threats from compromising sensitive data.

PCI DSS 4.0 Requirement 1.3.3 indicates that organizations implement Network Security Controls (NSCs), such as firewalls, between all wireless networks and the Cardholder Data Environment (CDE), even if the wireless network is part of the CDE. This helps protect the CDE from unauthorized access, including access through wireless networks.

Wireless networks can be vulnerable to attacks and, if not properly secured, can provide an entry point for threat actors, including insiders, to access sensitive data. By implementing NSCs, organizations can prevent unauthorized access to their CDE and protect sensitive data from insider threats. Regular monitoring and testing of wireless networks and NSCs can further reduce the risk of insider threats.

PCI DSS 4.0 Requirement 4.2.2 states that organizations implement measures to prevent the unintended receipt of cardholder data. This helps prevent accidental exposure of sensitive data by insiders, such as employees or contractors, who may accidentally send cardholder data to unauthorized parties due to human error or lack of awareness of security policies.

PCI DSS 4.0 Requirement 8.4.3 specifies that organizations implement Multi-Factor Authentication (MFA) for all remote access to the CDE. This helps prevent unauthorized access to the CDE using stolen or compromised credentials, including by insiders who may have knowledge of an organization’s systems and security measures.

Organizations can reduce the risk of insider threats and help protect sensitive data by implementing MFA regularly monitoring and testing their MFA systems, as well as having policies and procedures in place to ensure only authorized personnel have access to administer the MFA systems.

Keeping sensitive data safe from insider threats is a big challenge for companies in all industries, especially when it comes to PCI DSS. Failure to adhere to the Standard can have serious consequences. With more and more insider threats happening, companies need to have good access controls, employee training, contingency plans, and risk assessments. Along with these efforts, following the rules in PCI DSS v4.0 can lower the risk of insider threats and keep important information safe. It’s really important to know how serious insider threats can be, and to take steps to keep payment card data secure.

About the author: