Protecting card data with privileged access management controls: Sumit Srivastava, CyberArk

Protecting card data with privileged access management controls: Sumit Srivastava, CyberArk


India is one of the fastest-growing e-commerce markets, with growth from small towns and cities. Thanks to the availability of low-cost Internet and improved logistics infrastructure in Tier 2 and Tier 3 cities, the Indian e-commerce sector is growing at a phenomenal pace.

The growth in e-commerce can also be attributed to the change in shopping habits due to the Covid-19 pandemic and the lockdown that came with it. Most Indians became acquainted with the benefits of online shopping during the pandemic, and this habit continues even today and is preferred by many. A report by Bain and Flipkart, ‘How India Shops Online 2022’, states that the e-commerce market is expected to reach $50 billion in 2022. The report says that rising affluence in the country will fuel consumption and increase shopper spending, with India’s e-retail market estimated to grow to $150–$170 billion by 2027. This is a 25%–30% annual growth and a doubling of market penetration to 9%–10% over the next five years.

While these numbers are impressive, this growth can drop drastically if the industry does not take serious steps to address the issue of online fraud. For instance, according to the annual report by the RBI, for the year ended March 2022, card and Internet fraud surged to a whopping $1.55 billion in 3,596 cases, compared to $1.19 billion in 2,545 cases in the same period a year ago. When e-commerce sales or online sales surge, payment fraud correspondingly increases.

If you are an organisation that handles credit or debit card information, now is the time to revisit the Payment Card Industry Data Security Standard (PCI-DSS) guidelines so that you can protect your organisation, safeguard customer data, preserve trust and avoid hefty penalty fees.

PCI DSS compliance goals

Retailers, processors, service providers and other businesses that accept major payment cards and store, process or transmit cardholder data electronically must follow the PCI DSS guidelines and provide annual evidence of compliance. The global security standard aims to protect all parties involved in online transactions from damaging cyberattacks by safeguarding cardholders’ confidential data and mitigating security vulnerabilities and risks such as unauthorised data access and disclosure for merchants.

PCI-DSS 4.0 is the latest version published by the Payment Card Industry Security Standards Council, the standard’s governing body. It defines six principal goals and 12 high-level requirements and best practices for securing the network and system infrastructure and protecting confidential cardholder data.

As part of these goals, PCI DSS defines strong access control measures and multi factor authentication (MFA) methods to help prevent threat actors from breaching IT systems and stealing confidential cardholder data. Notably, the standard requires merchants to monitor and control access to all administrative accounts on point-of-sales (POS) terminals and other systems that manage cardholder data.

Addressing Key PCI DSS Requirements with Strong Privileged Access Management Controls

Cyber criminals routinely look for ways to exploit privileged credentials — including those for administrative accounts on IT systems that handle credit card and debit card transactions — to orchestrate attacks and steal sensitive data. Especially during the hectic holiday season, distracted workers, lax credential management practices, and error-prone manual security processes provide them with ample opportunity.

Because of this, PCI-DSS recommends merchants consider using a privileged access management (PAM) solution to restrict access to privileged accounts and defend against data breaches. Cloud infrastructure entitlements management (CIEM) solutions help organisations reduce excessive permissions across systems hosting data in their cloud environments — satisfying another essential PCI-DSS requirement to implement least privilege access.

Privileged access management controls work in concert to improve visibility and control over privileged accounts; isolate and monitor privileged sessions, and help prevent unauthorised access.

These controls provide the foundation for a comprehensive Identity Security approach and the key to satisfying the following PCI- DSS requirements:

  • Build and maintain a secure network by helping to isolate privileged sessions
  • Protect IT system data by securing credentials and secrets used by people and applications, and protect cardholder data by updating and rotating credentials and secrets automatically based on policy
  • Maintain a vulnerability management programme by defending against malware that exploits privileged accounts and preventing malware from spreading across systems
  • Implement strong access control by enabling least privilege access and tracking privileged activity
  • Regularly monitor and test networks through monitoring capabilities that provide real-time visibility into live events; use threat analytics to identify anomalies and suspicious activity; and use audit logs to provide historical records of privileged activity

PCI-DSS helps protect merchants by reducing security vulnerabilities and mitigating risk, and it helps protect consumers by safeguarding confidential cardholder data and defending against fraud and abuse. If your business accepts major credit or debit cards, you must adhere to the PCI- DSS specifications and provide annual evidence of compliance. PAM solutions can help you improve your security posture and satisfy key PCI DSS requirements by gaining better visibility and control over privileged accounts. PCI-DSS recommends merchants use PAM solutions to restrict access to privileged accounts and defend against data breaches.

By embracing an identity security strategy centered on intelligent privileged access management controls, organisations can strengthen their overall security posture and protect confidential data.

By – Sumit Srivastava – Solutions Engineering Director – India, CyberArk