Tips for Meeting PCI DSS Patching Requirements
Hackers frequently target payment card industry (PCI) data. To help protect against this, compliance regimes like the PCI Data Security Standard (PCI DSS) were put in place to protect cardholder data wherever it is processed or stored.
PCI DSS includes several requirements that were designed to help protect cardholder data, including specific recommendations when it comes to vulnerability patching. Within the application security guidelines, PCI DSS informs organizations of the timeline for addressing any known vulnerabilities that emerge within the technology that supports payment transactions and stores payment data.
In this article, we’ll look at the PCI DSS requirements for patching and outline what you can do to meet these requirements, even when patching is tough.
What Are PCI DSS Requirements for Patching?
The latest PCI DSS standard, PCI DSS version 4.0, was released at the end of March 2022 (though PCI DSS version 3.2.1 will stay active until March 2024). Aside from a few changes, the patching requirements remain similar in PCI DSS 4.0 and, for the purpose of this article, we’ll refer to version 4.0 of the standard.
No matter which version you refer to, you’ll find the substance of requirements around patching in Section 6, which contains the specification for developing and maintaining secure software and systems. In PCI DSS 4.0, the section that touches on patching is 6.3: “Security vulnerabilities are identified and addressed”.
Patching receives a few mentions in Section 6.3, but the pertinent requirement lies in point 6.3.3. Here, PCI DSS requirements state that:
All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows: Critical or high-security patches/updates (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release.
All other applicable security patches/updates are installed within an appropriate time frame as determined by the entity (for example, within three months of release).
In summary, to remain PCI DSS compliant, critical patches need to be applied within a month of patch release, whereas less critical patches must be applied within three months of patch release. Criticality as defined in Section 6.3.1 comes down to a mix of what the vendor says, independent security reports, and the CVSS score.
PCI DSS puts a hard requirement on patching timelines. Covered organizations that fail to meet these requirements will be found non-compliant.
What You Can Do to Meet PCI DSS Patching Timelines
Each organization takes its own approach to patching timelines – even if, in practice, the timeline essentially comes down to ASAP. An independent standard, such as PCI DSS, however, sets fixed requirements that could be tough to meet within your existing cybersecurity practices.
Depending on the source you refer to, the typical time it takes to patch can be anywhere from two months to five months and organizations commonly struggle to meet patching timelines. The reality of patching can easily conflict with PCI DSS requirements. Failure to deploy a patch quickley enough can end up leading to a fine – or worse.
Some of the steps your organization can take to reduce the time to patch and to stand a better chance of staying PCI DSS compliant include:
- Introducing visibility. As with so much in cybersecurity, you can’t protect what you don’t know about. Map out which systems you rely on for handling cardholder data and payments, then map out their dependencies as well.
- Focusing on what’s critical. If your compliance regime – PCI DSS – demands that payments-related technology is patched in time, then that’s where you need to focus your resources..
- Communicating and coordinating better. Don’t be in crisis mode for patching: ensure that you consistently monitor patching goals, communicate the need to patch to stakeholders, and plan maintenance windows.
- Using technology to change the game. Time-consuming manual patching involving reboots that are disruptive. Explore using live patching for any of your payment-related systems that can be covered with live patching. That includes enterprise Linux distributions, open-source libraries, databases, and virtualization environments.
- Resourcing it right. The need to patch should be no news to you by now, and you shouldn’t be surprised by the intensive resource requirements involved in consistent patching of large technology estates. To stay PCI DSS compliant, you must resource adequately for patching compliance.
To meet patching requirements, including those in PCI DSS, you really need all hands on deck. This includes deploying all technology solutions at your disposal – from vulnerability scanning through to live patching.
A Few Other Notes About Patching in PCI DSS
Patching receives a mention in a couple of other PCI DSS requirements. For example, 1.2.5 points to the need to identify technology services that are active and available and verify that each of these services has a defined business need. Unused services are often forgotten about and, as a consequence, left unpatched and vulnerable.
Likewise, Section 11.3 refers to the need to scan externally facing devices and ensure that any vulnerabilities found are patched or otherwise remediated. There are a few minor mentions in the various appendices to the standard too.
Get All the Help You Need
Failing to meet the patching deadlines set in PCI DSS Section 6.3 means non-compliance with the PCI DSS standard. An organization covered by PCI DSS requirements will be subject to heavy fines if it is found to be non-compliant.
There’s also the risk that inadequate patching will lead to a breach – which can involve massive cleanup costs and even business closure.
At TuxCare, we can accelerate your patching approach and make it significantly easier to attain and maintain PCI DSS compliance.
With our live patching solutions, your systems will receive the latest Linux vulnerability patches as soon as they’re made available. With TuxCare, patches are deployed automatically in the background while systems are running, without your team needing to schedule a maintenance window or reboot.
TuxCare live patching covers you for the most popular enterprise Linux operating systems as well as commonly-used open-source libraries and databases – and even virtualization environments too. Read more about TuxCare’s range of live patching solutions here.