NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

What’s new in PCI 3.0?

October 20, 2017

  • Blog
  • Archive

Following the launch of PCI DSS 3.0 in January, I’ve been faced with questions from many businesses about changes they should implement within the next year to remain or become compliant with the updated mandate.

In a recent 30 minute webinar, I highlighted 7 simple steps to achieving compliance, which have been featured recently by Windows security expert and author Russell Smith.

It’s important to state that the steps outlined below are relevant to any security policy, and improving overall IT security should be the primary goal when conducting any compliance review.

1. Maintain an IT Policy

This is the most logical starting point but I continue to be surprised at how many IT departments don’t start with a clear IT security strategy. Too often it can come as an afterthought, once new projects or systems have been implemented.

PCI 3.0 reinforces the importance of a clear and well-maintained policy documentation including rules on strong passwords, protecting credentials and changing passwords on suspicion of compromise.

2. Maintain Secure Systems

Admin access to all systems must be controlled to ensure they remain free from internal and external security threats. I can’t stress enough how important it is to have a solution in place for managing privileged access at an individual level. I’ve spoken to so many businesses that still have generic admin accounts or shared passwords.

3. Protect Data

Deploying up to date antivirus and firewalls is a great start to stop infection getting in, but best practice is to remove admin rights and implement application allow listing to ensure that only approved software, tasks and scripts can be run by users on the inside.

In fact, 51% of organizations believe a cyber-attacker is currently in their corporate network or has been in the past year (CyberArk 2013).

Recent data breaches experienced by the US retailer Target and in South Korea have highlighted once again the huge threat caused by malware and the insider. With admin privileges, your users effectively have the key to the back door and could walk out with your most precious data.

4. Defend Against Threats and Vulnerabilities

The rules of antivirus deployment in 3.0 have changed. As well as being fully operational, any software must be configured so that users cannot disable or uninstall it. Did you know that advanced malware, or admin users, could have access to disable antivirus policies, even with their inbuilt tampering features? It’s impossible for standard users to gain access to do this and another example of how unchecked admin rights can be so dangerous. This leads me nicely to point 5...

5. Controlling Privileges

PCI 3.0 states that user privileges must be restricted to those who require them to perform their job role. In order to remove admin rights from users, most businesses will need more granular control over privileges than UAC in Windows environments can provide. I always recommend that any approach to changing user privileges should be meticulously planned, and fully communicated internally. Without a rich end-user experience, the whole security project is at risk.

6. Monitor Privilege Use

PCI 3.0 has a specific requirement to log activity of privileged users. This is about more than just session recording. Session recording is not a proactive approach to security. It’s effectively like filming someone robbing a bank - you can trace who committed the crime, but the money has still gone. Many CISOs still overlook the importance of removing admin privileges, which prevents access in the first place. Any security layer or session recording solution can be disabled if the user has administrator access, though admittedly, some are easier to disable than others!

7. Defense in Depth

A layered approach to security is crucial. The key is to combine multiple solutions such as antivirus, firewalls, patching, application allow listing and privilege management. Be aware of all your attack vectors and build your defense layers from the ground up. The “egg shell” approach to security, where the external perimeter is hard but the internal security is soft, just does not work.

In summary, compliance should never be an exercise of ticking the box; it should be about making your systems as secure as they can possibly be. If you follow these basic standards in IT security and maintain effective IT policies, you should achieve the relevant compliance AND protect your most valuable business assets.

For more information on this topic, download our whitepaper on achieving compliance.

Andrew Avanessian,

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Microsoft Vulnerabilities Report 2022

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.