Platform Features
By Need
By Industry
Partner Program
Our Partners
Resource Center
{ "term_id": 177, "name": "Karl Mattson", "slug": "karl-mattson", "term_group": 0, "term_taxonomy_id": 177, "taxonomy": "wpx-authors", "description": "", "parent": 0, "count": 5, "filter": "raw" }
Struggling to keep up with evolving regulations isn’t a new thing for IT security teams. After all, for every NIS, there’s a NIS2. But when you consider that 130+ global jurisdictions have enacted data privacy laws whose mandates change, it’s not surprising that only 9% of executives feel highly confident that they can meet all disclosure requirements.
If you’ve been preparing to comply with version 4.0 of Payment Card Industry Data Security Standard (PCI DSS), you might be feeling the same way.
Created by the Payment Card Industry Data Security Council, PCI DSS has become a global standard for protecting payment data. If your business accepts major credit cards and processes, stores, or transmits cardholder data electronically, you’re on the hook to comply.
The original version’s requirements cover security mainstays that are as important now as they were when PCI DSS was published in 2006. For example:
The trouble is, today’s threat landscape is more complex than it was in 2006.
Yes, organizations still must address attackers’ tendency to target areas such as privileged accounts and users with excessive permissions. However, enterprises need to adapt their compliance programs to account for threat actors who frequently target the thousands of APIs living within payment technologies. These attackers know that APIs are easy to exploit and provide an efficient way to steal cardholder data.
So among the many changes you’ll need to comply with in PCI DSS 4.0, your organization will need to understand and defend against API threats. In this blog post, we’ll share insights on the risks, requirements, and ways to comply.
Overall, PCI DSS 4.0 is centered on four key objectives:
PCI DSS 4.0 explicitly calls out APIs as a key area requiring visibility and protection. All four objectives come into play. But number three (the flexibility to use new tools and controls) is particularly important, given APIs’ unique risks. For example:
Regulators are aware of the risk and your business must show it has the visibility and controls in place to prevent data from being compromised.
Payment card data is compromised in over a third (37%) of breaches according to Verizon’s 2023 Data Breach Investigations Report. This is probably why PCI DSS 4.0 includes new requirements around multi-factor authentication and password length – to secure the human element of the payment industry’s attack surface.
However, it’s important to remember that, quite often, data breaches aren’t due to well-publicized, human-centric attack methods like phishing for employees’ passwords.
For example, 18% of attacks on e-commerce businesses entail malicious code embedded in card processing web pages. Today’s threat actors are growing more sophisticated, targeting automated non-human components of the IT environment that quite often, aren’t secured properly – case in point, APIs.
Ninety-two percent of enterprises have experienced an API-related security incident, according to Enterprise Strategy Group. Recognizing the urgency of API threats, PCI DSS v. 4.0 includes new API security rules, guidelines, and best practices. Let’s explore requirement 6.2.3.
Requirement 6.2.3 centers on the need for organizations to review their bespoke custom application code (i.e. developed by a third-party vendor – but not standard COTS applications) to ensure no vulnerabilities are released into production.
Specific to APIs, this requirement offers guidance to confirm that an organization’s software securely uses external components’ functions (libraries, frameworks, APIs, etc). This speaks to the key role APIs play in the broader software supply chain – and what it takes to protect it.
APIs have become the default connectivity and data exchange method of modern application environments. With that in mind, securing APIs from both a pre-production (shift-left) and post-production (shield-right) is essential to making your digital business resilient against attacks.
Here are six API security best practices to follow, for compliance with requirement 6.2.3.
The PCI-DSC added two additional sections entailing API security to PCI-DSS 4.0. Depending on when you’re reading this post, the deadline for compliance is either weeks away, or the deadline has passed. Either way, here’s a summary of the requirements you’ll also need to meet.
To learn more about these requirements – and the exact API security controls and capabilities you need to comply – we’ve published a helpful resource. Download our whitepaper, PCI DSS 4.0 Requirements for APIs, for best practices that you can use.
For every requirement covered in this post, Noname Security’s API Security platform offers the API protection that enterprises need – not only to comply with PCI DSS 4.0, but to continuously secure the data your customers have entrusted you with.
From the initial stages of development to post-production, Noname Security’s platform entails:
Learn more about Noname’s approach to API security and compliance.