Helping Enterprises Meet Compliance Requirements
Enterprises face an ever-increasing list of regulatory compliance obligations, and the level of compliance can vary by industry. Learn how SpyCloud’s account takeover (ATO) and online fraud prevention solutions can help you meet the growing regulatory compliance needs of your organization, including Payment Card Industry Data Security Standard (PCI DSS), Payment Services Directive 2 (PSD2), and National Institute of Standards and Technology (NIST).
Payment Card Industry Data Security Standard, or PCI DSS, is a regulatory standard developed by credit card companies to help protect cardholder data. PCI DSS applies to any organization that processes, stores, or transmits credit card data and v4.0 updates include new guidance on passwords and a focus on malware.
- SpyCloud’s ATO Prevention solutions support PCI DSS v4.0 by protecting users from breaches due to password reuse, reducing the risk of data loss and downtime from ransomware, and securing your brand reputation.
- SpyCloud Identity Risk Engine supports the PCI standard by detecting users’ risk of account takeover, synthetic identities, and fraud tied to malware.
- SpyCloud Session Identity Protection identifies vulnerable users by providing visibility of their malware-stolen device and web session cookies.
The latest version of PCI DSS standards (v4.0) call for stronger authentication factors to identify users, as well as updated guidance on password complexity. Now, the standards body’s minimum requirements for passwords/passphrases are 12+ characters (up from 7 in previous versions), including both alphabetic and numeric characters.
At SpyCloud, we understand the importance of password security when it comes to online accounts and transactions. Account takeover (ATO) is a common form of fraud in which criminals use stolen credentials to gain illegitimate access to a victim’s accounts, often using credentials that have been exposed in previous data breaches. When consumers use weak or compromised passwords, criminals jump at the chance to take over their accounts and steal funds, drain loyalty accounts, and make fraudulent purchases.
We also appreciate PCI’s focus on malware, as we are seeing an increase in malware logs in our recaptured data from the criminal underground. Information pilfered by malware-infected machines is shared in small criminal circles, private chat groups, and also posted on underground hacking web forums. SpyCloud is able to recapture and deliver this data to enterprises so they can take action on victim’s exposed credentials and stolen web session cookies. This helps consumers and organizations protect themselves before criminals can leverage their stolen data for ATO, identity theft, and online fraud.
Using the SpyCloud data, we discover anywhere from 3,000 to 11,000 direct matches per hour. Every one of those exposed accounts could have led to account takeover.– Online Travel Booking Company
- PSD2 introduces security requirements for the initiation and processing of electronic payments and the protection of consumers’ financial data.
- Payment Security Providers (PSPs) can tap into SpyCloud’s database of 350B+ recaptured assets to ensure user accounts meet security requirements.
- SpyCloud helps identify consumers with credential exposures and those who are transacting on an infected machine – users at higher risk of impersonation from siphoned credentials and stolen cookies.
PSD2 requires Payment Security Providers (PSPs) to establish a framework with appropriate mitigation measures and control mechanisms to manage security risks relating to the payment services they provide. For PSPs, the ability to regularly check your user accounts against the most timely, actionable collection of compromised authentication data available anywhere provides peace of mind in ensuring PSD2 compliance.
Stronger Customer Authentication (SCA)
Transaction Risk Analysis (TRA)
Balancing SCA with a seamless customer experience is a greater challenge that can be solved with Transaction Risk Analysis (TRA), a method for identifying fraud by observing the behavior in the transaction by the counterparties involved. Tapping SpyCloud’s database, PSPs can regularly check on their consumers to identify if they are at high risk of credential exposure or transacting on an infected machine as an out-of-band check or in-line during the authentication workflow. TRA is not new, but PSD2 strengthens the need for it, particularly when it can be deployed in real time, which is exactly what SpyCloud helps deliver.
With SpyCloud’s botnet data, we’ve protected thousands of accounts representing tens of millions of dollars of funds.– Global Fintech Company
- SpyCloud Active Directory Guardian provides automated compromised credential detection and remediation so enterprises can easily apply NIST guidelines to their employees.
- SpyCloud Consumer ATO Prevention lightens the burden of aligning consumer passwords to NIST standards. Prevent them from choosing passwords that are weak, common, or compromised by checking new passwords against our entire database of billions of previously-exposed passwords.
- SpyCloud Employee ATO Prevention helps organizations address ATO that leads to ransomware and remediate its root cause: compromised employee credentials.
Digital Identity Guidelines
- Require long, not necessarily complex, passwords
- Don’t force password resets
- Screen passwords against a list of compromised credentials
- Enable multi-factor authentication (MFA) whenever possible
Ransomware Risk Management
NIST sees compromised credential remediation as an “essential mitigation” against ransomware. In addition to its overall cybersecurity framework, NIST also offers NIST Ransomware Risk Management: A Cybersecurity Framework Profile, which includes five key functions: Identify, Protect, Detect, Respond and Recover. SpyCloud offers proactive solutions that help enable the recommendations within the Protect function.
- Manage account and information access – ensure users have unique accounts and authenticate each user with strong passwords and MFA
- Educate – restrict access to corporate/official accounts via personal devices
In a recent SpyCloud survey, enterprises said phishing e-mails and compromised credentials were the #1 and #2 entry points for ransomware. SpyCloud acts as a ransomware “early warning system” by immediately identifying and remediating compromised employee credentials. This reduces the number of entry points for criminals to deliver ransomware to your network.
Active Directory Guardian has saved us more than 1,000 hours. It has significantly lowered the amount of time multiple teams had to spend searching the dark web to confirm compromise — let alone remediate it.– Al Dixon, Principal IT Security Architect of CorpIT at EBSCO Industries