Vince Berk is the Chief Strategist at Quantum Xchange, a post-quantum crypto-agility provider. Ph.D. in AI/ML, founder of FlowTraq.
The Payment Card Industry Data Security Standard (PCI DSS) v. 3.2.1 is officially retired as of March 31, 2024, giving way to PCI DSS v. 4.0, with full implementation mandated by March 2025.
An August 2023 S&P Global study found that few organizations have a solid understanding of all PCI DSS 4.0 requirements, and many say they haven’t even begun to execute the pending changes.
At the bare minimum, taking an annual cryptographic inventory for in-scope systems is a new and absolutely minimal bar to pass. This means doing a review and analysis of the cryptography in use at a given point in time so that any deficiencies, such as outdated or outright lack of cryptography, may be remediated.
That said, there are risk factors associated with that statement.
• Timeslice. Systems are often configured to handle a wide range of cryptographic options. At the time of session establishment, the cryptography is negotiated based on what both the server and client are willing to do. Short-time-duration sampling will likely miss situations where cryptography is “downgraded” below minimum standards.
• Scope. Scope is difficult to define, but this is not new to the concept of PCI and the data security standards community. The knock-on effects of compromised administrative accounts, reuse of passwords or compromised networking gear all might fall “out of scope” by the definition of the standard, but they have a clear and imminent risk to the “in-scope” systems.
• Sampling. Many current service providers take a sampled approach to demonstrate that certain compliance controls have been met. A sample certainly suffices when validating that a response process is in place, for example. For cryptography and things like password strength, however, a sampling is insufficient. For cryptography, just like passwords, the same risk applies—if you prove one password is strong, that doesn’t mean all of them are!
• Legacy. Systems that have been operational since the beginning of time are usually still in operation because they “just work.” Despite software updates often being available (but frequently not applied), the configurations generally permit old and outdated cryptography. This leaves the risk that very outdated cryptography is no longer the default but is still available as an option on the system.
This does not present itself for the majority of communications, but for old, outdated or malicious interactions, it is sometimes used and, therefore, rarely caught. This problem affects even legacy systems that have been kept up to date, as configurations are generally not reviewed after updates.
• Ignorance. Possibly the worst risk of all, cryptography is typically taken for granted. It is just there, and if it looks scrambled, then it is encrypted. However, there is a world of difference between good encryption and insufficient encryption.
When cryptographic risk must be evaluated, many operators are not familiar with the inherent risk they are dealing with. Common issues include weak ciphers, long-duration certificates and self-signed certificates. Operators understand weak intermediary certificates even less, but they are a natural entry point for skilled hackers as well as malicious insiders.
Then, there are the ever-present software bugs. There are many out-of-date cryptography libraries with bugs that allow man-in-the-middle attacks or outright guessing of the encryption keys. None of this is obvious to the casual observer.
In addition to beginning with a cryptographic inventory, there are other steps CISOs can take to prepare themselves for the new PCI DSS standards.
• Continuous monitoring instead of an annual inventory. When remediation of cryptographic deficiencies is made a standard and ongoing process, you are likely to raise the bar in an ongoing manner. This gives the additional benefit that you might catch a smart threat actor that acts differently than your sanctioned systems.
• Set cryptographic hygiene standards. An inventory of “in-scope” systems is intended to point out deficiencies for remediation—but remediate to what? Setting a policy of minimum standards of cryptographic strength and hygiene, as well as a process for achieving those standards, can help the entire enterprise avoid many of the second-order risks mentioned above.
Enterprises are governed by policy and process, and being explicit about certificate expiration durations, access control to certificates, minimum cryptographic standards and software library versions can significantly increase security in the overall enterprise.
• Move to crypto-agility. Cryptographic inventory is only the beginning. With much cryptography baked into software packages, the ability to transition to new or even quantum-safe cryptography is going to be a cumbersome and arduous process. Take this newfound visibility as the first step toward an agile position with cryptography—such that the next version of the standard, which is most definitely going to include post-quantum cryptographic requirements, becomes achievable.
Regardless, keep in mind that compliance with regulation is a baseline. A new standard gives you an opportunity to not only meet the minimum but also to evaluate what approach you can take to ensure safer, more secure data communication.
Remember, the fire code specifies a minimum standard that aims to avoid the worst fire risks, but by no means do these standards guarantee you are safe from fires.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
