PCI Compliance and the CIA Triad—Building Great Security

Complying with the Payment Card Industry Data Security Standard (PCI DSS) ensures that you have taken the necessary safeguard to secure payment card data, and it should be a goal for your organization. However, PCI DSS compliance doesn't ensure that all data is secure—so it isn't a stopping point.

Compliance should come through a comprehensive security strategy that protects data on multiple fronts. It is this kind of security that will assure your customers that their data is safe with you, which is particularly important if your organization is a large retail, banking, healthcare, or software-as-a-service (SaaS) company that must secure customer data in order to grow.

When PCI DSS compliance is viewed through the lens of the CIA triad, it is clear that PCI compliance is a great model and the first step toward greater data security. Since PCI compliance does not cover all sensitive data, such as personally identifiable information (PII) and company secrets, you should use PCI DSS standards and the CIA triad to create a comprehensive defense-in-depth strategy that protects data holistically.

What is the CIA Triad?

The CIA triad is a multi-layered security strategy designed to protect data. It focuses on:

• Confidentiality - Preventing data from being accessed by unauthorized users.

• Integrity - Keeping data from being altered without authorization.

• Availability - Maintaining access to data for authorized users.

How Can the CIA Triad and PCI DSS Standards Be Combined?

Incorporating PCI DSS standards and CIA triad principles into your security strategy will make it more difficult for your data to be compromised because it will be protected by several layers of security.

• Policies and procedures. Creating and disseminating security policies and promoting awareness of them per PCI standards provides an initial layer of protection for your data. Each employee should know their responsibilities for maintaining organizational security and be held accountable for doing so, such as by confirming that they are following proper password protocols and not accessing networks through unauthorized devices.

• Physical protection. Restricting internal access to computers, networks, and devices helps you maintain confidentiality and integrity by keeping unauthorized users from accessing and altering data. You can confirm that data is only accessed by authorized users by establishing security checkpoints at entrances to areas with sensitive data, such as server rooms, and maintaining visitor logs.

• Perimeter. Installing firewalls and testing your networks for vulnerabilities that could be compromised by external users helps you maintain availability as well as confidentiality and integrity. If the perimeter is safe, authorized users can access and use the data, but external intruders cannot.

• Internal network. Protecting data internally is as important as preventing external attacks. Some data breaches have occurred because hackers have capitalized on lax internal security after penetrating organizational firewalls. Implementing PCI DSS standards and a Zero Trust policy provides your organization with additional protection through measures such as multi-factor authentication and policies such as limiting access to data to the minimal amount users need to do their work.

• Host. The computers that store data and run the applications that use it should be kept operational and secure, thus maintaining availability, integrity, and confidentiality. For example, you can force network-attached devices to adhere to desktop security policies by using endpoint security on servers and hosts per PCI DSS standards.

• Application. Hackers want to compromise the applications that run your data most of all. Keep your software and your security tools up to date. Scan for vulnerabilities and patch them quickly.

• Data. When your data is compromised, hackers win and you lose—big time. The average cost of a data breach globally increased 6.6 percent to $3.86 million in 2018, according to the 2018 Data Breach Study conducted by Ponemon Institute. Protecting personally identifiable information is particularly important because hackers seek it as a means to steal from individuals and to cripple companies. Only store data that you need for business purposes and maintain confidentiality through strong cryptography.

Maintaining PCI compliance allows your business to keep running and helps you keep growing by showing customers that they can trust you. But compliance alone is not enough.

Instead of being content with earning your certificate, build great security for your company by building upon your compliance. Use PCI DSS standards and the CIA triad to create a comprehensive defense-in-depth strategy that protects your data and assures your customers.