Edgio Information Security & Compliance – PCI-DSS 4.0 Compliance
Outline
Edgio’s security suite offers a robust and integrated approach to quickly implement and safeguard web applications, aligning with PCI DSS security controls to ensure comprehensive protection and compliance.
The PCI Security Standards Council spearheads the global initiative to bolster payment security within the cardholder data ecosystem. Established in 2004, the PCI Data Security Standard (PCI DSS) has emerged as the universal benchmark for securing cardholder information. Compliance with PCI DSS is imperative for all organizations that process, store, or transmit cardholder and sensitive authentication data, ensuring the integrity of the cardholder’s data environment.
The update from PCI DSS 3.2 to 4.0 represents a pivotal evolution of the standard. With the retirement of 3.2 on March 31, 2024, PCI DSS 4.0 will take precedence. Organizations are granted a two-year window to adopt and implement the new best practices delineated in 4.0. Following March 31, 2025, adherence to these practices will be compulsory for maintaining compliance with the updated standard.
How to maintain ongoing PCI DSS compliance
Edgio’s Security solution offers a robust and comprehensive solution to ensure PCI DSS compliance, safeguarding businesses from the repercussions of non-compliance such as hefty fines, costly legal battles, brand damage, and diminished consumer trust. Transitioning to PCI DSS 4.0 can be daunting, but Edgio’s Security solution streamlines the process, offering a suite of services that are easy to implement across various environments without the complexities and high costs associated with traditional security tools.
Our service includes cloud-based software, analytics, and a team of expert security analysts who monitor your environment around the clock. With our managed detection and response (MDR) and managed web application firewall (WAF) solutions, we provide:
- Analysis of event log data to detect potential security incidents, such as account lockouts, failed logins, new user accounts, and unauthorized access attempts.
- Identification of incidents that require investigation, notification for review, and creation of an incident audit trail for auditors.
- Expert review and assistance in resolving disputes with PCI ASV scan reports.
- Monitoring of log collection activities and alerts when logs are not being collected.
- Configuration, monitoring, and regular fine-tuning of web application firewalls to block malicious web traffic.
The introduction of PCI DSS 4.0 has made web application firewalls a mandatory requirement to “continuously detect and prevent web-based attacks” against applications and APIs. Edgio’s Managed WAF not only meets this requirement but also provides automated controls to mitigate client-side risks, addressing the requirements of 6.4.3 and 11.6.1, and reducing the need for multiple security tools. Our solution is designed to protect your business comprehensively, ensuring that you stay ahead of security threats and maintain compliance with ease.
PCI DSS 4.0 Requirements and Edgio Security
PCI DSS 4.0 Requirement 6: Develop and Maintain Secure Systems and Software
Requirement 6 mandates that organizations ensure all systems and software are protected against known vulnerabilities by implementing critical security patches and adopting secure development practices. This includes maintaining an up-to-date inventory of software, implementing change control processes to manage changes to system components, and ensuring security features are included in the development of applications.
Edgio addresses this requirement with the following solutions:
Asset discovery and auditing: Client-side protection catalogs and tracks assets in use by the client.
Vulnerability analysis: Attack Surface Management (ASM) allows for an organization to get a complete view of all their properties and possible vulnerabilities. CVEs can be assigned to owners and addressed quickly.
Endpoint detection: API security monitors, enforces schemas, and reports on API usage.
PCI DSS 4.0 Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data
Requirement 10 focuses on the importance of tracking and monitoring all access to network resources and cardholder data to detect and respond to security incidents in a timely manner. Organizations are required to implement logging mechanisms and ensure that logs are reviewed regularly. This requirement also includes ensuring that logs are secure, complete, and accurate.
Edgio addresses this requirement with the following solutions:
- Real-Time Reporting and Logs: Edgio provides access to Build, Server, and Access logs.
- Client-side Protection: Edgio monitors browser-side scripts and APIs to prevent data exfiltration.
- Continuous monitoring: Edgio continuously monitors traffic throughout its system, and leverages ML and AI to scrub and alert on issues. This includes health of the entire network and systems within it.
PCI DSS 4.0 Requirement 11: Test Security Systems and Processes
Requirement 11 requires organizations to regularly test security systems and processes to ensure they are effective in protecting cardholder data. This includes conducting vulnerability scans, penetration testing, and intrusion detection testing to identify and address security weaknesses.
Edgio addresses this requirement with the following solutions:
- Attack-Surface Management (ASM): Edgio’s ASM solution provides a complete view of the entire internet facing architecture. This includes an inventory of vulnerabilities for logging and assignment to owners for follow-up.
- Web Application Firewall (WAF): Edgio’s Managed WAF provides a continuously updated set of rules to address vulnerabilities. In addition, it can catch things like SQL injection, cross-site scripting, or other request tampering.
- Bot Management: Edgio provides a Bot Management tool to ensure that pages are not abused by Bots for actions like credential stuffing.
- API Security: Enforcement of schema validation of API calls.
- Security Operations Center (SOC): Monitors and maintains alerting for abnormal behavior.
PCI DSS 4.0 Requirement 12: Implement a Policy that Addresses Information Security
Requirement 12 is about maintaining a policy that addresses information security for all personnel. This policy should include an organizational commitment to security, roles and responsibilities for security, and operational procedures that are updated regularly to reflect changes to business objectives or the risk environment.
Edgio addresses this requirement with the following solutions:
- Security Operations Center (SOC): Edgio’s SOC maintains a full set of processes for managed detection and response to security events. They can quickly deploy network-wide rules in the event of zero-day vulnerabilities or attacks. They maintain a comprehensive SLA policy for escalation and 24/7 response.
GigaOM Radar Edge Platform Leader & Outperformer 2024 |