A Strategic Resilience Approach with Commvault Cloud: Compensatory Controls and Compliance for PCI DSS v4.0

In the dynamic landscape of cybersecurity, businesses face an ongoing challenge to protect sensitive data, particularly payment card information. Compliance models such as the Payment Card Industry Data Security Standard 4.0 (PCI DSS v4.0) are developed to encourage and enhance data security for organizations that handle sensitive customer data. Within this standard the PCI DSS 4.0 Requirement 6 emphasizes the critical need to develop and maintain secure systems and applications, recognizing that vulnerabilities in companies’ IT are regularly exploited by malicious actors. It mandates the installation of applicable vendor-supplied security patches within one month. 

The Patchwork Challenge

On one hand, patching requirements appear trivial and necessary in today’s world. On the other hand, organizations face constraints from testing schedules and complex infrastructure including tool sprawl and legacy systems that make timely vulnerability management a nearly impossible mission for many. As a result, PCI compliance requirements, such as the one-month patching timeline, impose a crucial challenge to companies.

Even after the implementation of patches, businesses are exposed to threat actors that identify new vulnerabilities and exploit them in zero-day attacks, especially in the modern age of generative AI. Organizations inherit cyber risk from IT vulnerabilities, but vendors are responsible for promptly discovering, disclosing, and fixing them.

Research reports that 42% of vulnerabilities are continuously exploited even after a patch is issued, with an average critical exposure time for threats (the time between disclosure and patch availability) of approximately nine days. Two years before the disclosure of the MOVEit vulnerability, signs of experiments for exploiting it were observed in the recent MOVEit cyberattack.

Resolving PCI DSS Challenges with Compensatory Controls 

Though PCI DSS v4.0 has stringent requirements, it does allow some exceptions to give organizations flexibility and applicability. The one-month patch rule is one with some wiggle room: “Compensating controls may be considered when an entity cannot meet a PCI DSS requirement explicitly as stated due to legitimate and documented technical or business constraints but has sufficiently mitigated the risk associated with the requirement through the implementation of other, or compensating, controls.”

With risk mitigation in mind the imperative of the standard is to build cyber resilience into your payment card systems. To help address this challenge, Commvault© Cloud, powered by Metallic AI, offers a comprehensive approach on a single platform that goes above and beyond conventional methods. Let’s explore in a short journey how Commvault Cloud helps you:

1. Mitigating risk for known and unknown vulnerabilities
   Our data-minded cyber deception solution Commvault Cloud’s Threatwise capability brings modern ransomware protection and early warning detection of vulnerability exploitation attempts to companies of every size. The proactive defense shields your production data against zero-day and silent threats by spotting malicious intent and activity along the path to your data. It does this by strategically blanketing vulnerable assets, critical instances, and hybrid environments with intelligent sensors that send out highly accurate early warning signals with actionable threat intelligence across the organization. The patented technology enables prompt risk remediation, redirection of the threat, and exposes silent attacks with its unique capabilities including:
   1. Tailored threat detection to industry specific risk factors (i.e., sensors mimicking Point of Sale (POS) systems)
   2. Custom sensors unique to your business
   3. Strategic sensor placement recommendations to improve cyber resilience
   4. Preconfigured reports aligned to the PCI DSS standard 
   5. Automated alerts with actionable insights to key stakeholders and security tools, such as your SIEM

2. Keep your backup data clean
   Utilize artificial intelligence (AI) to fight AI-driven attacks by surfacing zero-day and polymorphic malware targeting your backup instance with Commvault Cloud Threat Scan. This allows you to respond and recover clean data faster. Uncover abnormalities and predict threats before they infect your backups to help achieve and exceed recovery objectives.
   
3. Identify data risk and governance factors
   Commvault Cloud Risk Analysis helps find, categorize, and act on sensitive data in secure data repositories and active data sources in seconds. Risk Analysis helps you stay ahead of data sprawl and over exposure to keep sensitive data protected and avoid exfiltration of data.
   
4. Secure, monitor, and response
   Commvault Cloud’s Security IQ provides visibility across data instances, so you always stay cyber ready. Continuously bolster security posture, identify data risks in real time, and remediate them to stay ahead of evolving threats. Integrations with SIEM and SOAR can further automate response to cut your time to react.

Commvault Cloud and PCI DSS v4.0

Commvault Cloud enables you to adopt a cyber resilience approach to help meet central requirements within the PCI DSS v4.0 (including Req2, Req3, Req7, Req10). The platform ensures secure configurations across all system components, safeguards stored backup account data, restricts access to cardholder backup data, and implements robust logging and monitoring. Comprehensive security control such as identification and access management controls, security posture overviews, best-in-class encryption standards, and extensive documentation capabilities are available across all system components. 

To learn more about our cutting-edge technology and recent real-world threat detection case studies contact us.