PKI and Digital Certificates as a Solution for PCI Compliance
Cyber Threats of the Financial Sector
Financial services is navigating an interesting time: eight years have passed since the crash of 2008, allowing enough time for market healing, while mass digitalization has taken a strong hold. Online portals and mobile apps are the norm, among a slew of other technology innovations being adopted in financial services to respond to the high demands of today’s digital consumer. Sure, these changes bring greater convenience to the customer and increased cost efficiency to the institutions, but it also brings significantly higher cyber security risks.
According to SecurityScorecard’s 2016 Financial Industry Cybersecurity Research Report, the financial sector is in a particularly vulnerable place due to increased risks as a result of digitalization:
- 95% of the top 20 U.S. commercial banks (by revenue) have Network Security grades of “C” or worse.
- 1 out of 5 financial institutions use an email service provider with considerable security vulnerabilities.
- 75% out of the top 20 U.S. commercial banks (by revenue) are infected with malware.
In addition to the increased vulnerabilities in financial, industry and government compliance requirements such as PCI, HIPAA and ISO Security Standards are an ongoing concern. 30% of finance companies are noncompliant with PCI 3—the PCI DSS requirements associated with using strong cryptography protocols and trusted keys and certificates, according to the SecurityScorecard study.
The Industry Significance of PCI DSS
PCI DSS is one of the top regulatory bodies overseeing the financial sector, enacted to ensure the security of cardholder data.
The security outcomes associated with PCI compliance span the ongoing identification of threats and vulnerabilities, ultimately supporting the success of organizations who process card payments. Data breaches can result in the total destruction of a business—PCI is intended to prevent the loss associated with a successful data breach.
As explained by Thales e-Security, the consequences of failure to comply with PCI DSS include large fines, increased fees, and potentially, termination of the ability to process credit cards.
Unfortunately, establishing a secure operational state to mitigate the dangerous threat landscape of today is not mutually exclusive with PCI DSS compliance. Different financial organizations have to decide individually which security tools and controls to use, as well as the right infrastructure to support them, and those mechanisms are not always directly parallel to the objectives required by PCI.
Choosing robust solutions that will cover as much of PCI as possible is a helpful tactic.Public key infrastructure (PKI) and digital certificates, for example, are a proven solution for meeting regulatory requirements and securing sensitive assets. PKI infrastructure and digital certificate management systems allow for cryptographically sound technology to be integrated easily while significantly improving the end-user experience and substantially improving the security posture of an enterprise.
Getting Started with PKI and Digital Certificates
PKI used to issue digital certificates is an effective way to satisfy PCI 3, the component of PCI DSS which requires that strong cryptography and security protocols must be used to safeguard cardholder data, and only trusted keys and certificates are used. The proper implementation and ongoing use of this security technology concurrently enhances security posture while meeting compliance requirements.
Working with a trusted PKI partner is a way to implement and operate a PKI while safely issuing trusted digital certificates without putting additional strain on the security team, or having the need to find the right expertise. Managed PKI services ensure that a secure infrastructure stays secure, while internal IT professionals are empowered to work on technology initiatives that directly serve the core values of business.
A professionally managed PKI is designed to meet the immediate and long-term business security needs of an organization that has a solid and auditable operations plan behind it. A robust, managed PKI can demonstrate operations, who they have been conducted by, and any security events which have taken place along the way, allowing businesses to have confidence in their technology investment without allocating critical resources on administrative demands.
The most important consideration for selecting a reliable PKI partner is level of experience and expertise with PKI, digital certificates, and unique industry compliance requirements, such as PCI.
Ask your prospective PKI partner:
- Can the solution be moved in house in future? If so what is the anticipated cost and technical complexity?
- Are there elements of the service that cannot be moved? What aspects of the infrastructure are shared?
- Can I use my own URLS for CRL?
- Can private keys for encryption be escrowed at my site?
CSS is available to talk about the PCI-related questions your financial security organization has. Our PKI experts can work with you to identify your current security vulnerabilities and identify the best PKI approach for your business.
If your security organization would like to learn more about how PKI and trusted digital certificates can safeguard your sensitive cardholder data, our experts are here for you. Contact us to talk about your PKI needs.