Helping Enterprises Meet Compliance Requirements

Enterprises face an ever-increasing list of regulatory compliance obligations, and the level of compliance can vary by industry. Learn how SpyCloud’s account takeover (ATO) and online fraud prevention solutions can help you meet the growing regulatory compliance needs of your organization, including Payment Card Industry Data Security Standard (PCI DSS), Payment Services Directive 2 (PSD2), and National Institute of Standards and Technology (NIST).

Payment Card Industry Data Security Standard, or PCI DSS, is a regulatory standard developed by credit card companies to help protect cardholder data. PCI DSS applies to any organization that processes, stores, or transmits credit card data and v4.0 updates include new guidance on passwords and a focus on malware.

  • SpyCloud’s ATO Prevention solutions support PCI DSS v4.0 by protecting users from breaches due to password reuse, reducing the risk of data loss and downtime from ransomware, and securing your brand reputation.
  • SpyCloud Identity Risk Engine supports the PCI standard by detecting users’ risk of account takeover, synthetic identities, and fraud tied to malware.
  • SpyCloud Session Identity Protection identifies vulnerable users by providing visibility of their malware-stolen device and web session cookies.
Supporting Products:

The latest version of PCI DSS standards (v4.0) call for stronger authentication factors to identify users, as well as updated guidance on password complexity. Now, the standards body’s minimum requirements for passwords/passphrases are 12+ characters (up from 7 in previous versions), including both alphabetic and numeric characters. 

At SpyCloud, we understand the importance of password security when it comes to online accounts and transactions. Account takeover (ATO) is a common form of fraud in which criminals use stolen credentials to gain illegitimate access to a victim’s accounts, often using credentials that have been exposed in previous data breaches. When consumers use weak or compromised passwords, criminals jump at the chance to take over their accounts and steal funds, drain loyalty accounts, and make fraudulent purchases. 

We also appreciate PCI’s focus on malware, as we are seeing an increase in malware logs in our recaptured data from the criminal underground. Information pilfered by malware-infected machines is shared in small criminal circles, private chat groups, and also posted on underground hacking web forums. SpyCloud is able to recapture and deliver this data to enterprises so they can take action on victim’s exposed credentials and stolen web session cookies. This helps consumers and organizations protect themselves before criminals can leverage their stolen data for ATO, identity theft, and online fraud. 

Using the SpyCloud data, we discover anywhere from 3,000 to 11,000 direct matches per hour. Every one of those exposed accounts could have led to account takeover.
– Online Travel Booking Company
PSD2 Logo
The Payment Services Directive 2 (PSD2) is a European regulation from the European Banking Association (EBA) that encourages competition, transparency and innovation for electronic payment services.
  • PSD2 introduces security requirements for the initiation and processing of electronic payments and the protection of consumers’ financial data.
  • Payment Security Providers (PSPs) can tap into SpyCloud’s database of 350B+ recaptured assets to ensure user accounts meet security requirements.
  • SpyCloud helps identify consumers with credential exposures and those who are transacting on an infected machine – users at higher risk of impersonation from siphoned credentials and stolen cookies.
Supporting Products:

PSD2 requires Payment Security Providers (PSPs) to establish a framework with appropriate mitigation measures and control mechanisms to manage security risks relating to the payment services they provide. For PSPs, the ability to regularly check your user accounts against the most timely, actionable collection of compromised authentication data available anywhere provides peace of mind in ensuring PSD2 compliance.

Stronger Customer Authentication (SCA)
According to PSD2, Stronger Customer Authentication (SCA) promotes multi-factor authentication (MFA), which unfortunately isn’t foolproof. Malware-infected devices create an extreme risk for online fraud and identity theft. Beyond login credentials, criminals have access to device and session cookies that allow them to bypass MFA and impersonate consumers. SpyCloud identifies consumers whose cookies have been stolen by malware, enabling enterprises to invalidate their active sessions, and prevents criminals from using the stolen cookies to take over accounts.
Transaction Risk Analysis (TRA)

Balancing SCA with a seamless customer experience is a greater challenge that can be solved with Transaction Risk Analysis (TRA), a method for identifying fraud by observing the behavior in the transaction by the counterparties involved. Tapping SpyCloud’s database, PSPs can regularly check on their consumers to identify if they are at high risk of credential exposure or transacting on an infected machine as an out-of-band check or in-line during the authentication workflow. TRA is not new, but PSD2 strengthens the need for it, particularly when it can be deployed in real time, which is exactly what SpyCloud helps deliver.

With SpyCloud’s botnet data, we’ve protected thousands of accounts representing tens of millions of dollars of funds.
– Global Fintech Company
The National Institute of Standards and Technology, or NIST, developed the NIST Cybersecurity Framework, a policy framework that represents a set of best practices for keeping data secure.
  • SpyCloud Active Directory Guardian provides automated compromised credential detection and remediation so enterprises can easily apply NIST guidelines to their employees.
  • SpyCloud Consumer ATO Prevention lightens the burden of aligning consumer passwords to NIST standards. Prevent them from choosing passwords that are weak, common, or compromised by checking new passwords against our entire database of billions of previously-exposed passwords.
  • SpyCloud Employee ATO Prevention helps organizations address ATO that leads to ransomware and remediate its root cause: compromised employee credentials.
Supporting Products:
Digital Identity Guidelines
In its most recent guidelines regarding password security, NIST offers recommendations that organizations can implement to further strengthen their security posture, including:
  1. Require long, not necessarily complex, passwords 
  2. Don’t force password resets 
  3. Screen passwords against a list of compromised credentials 
  4. Enable multi-factor authentication (MFA) whenever possible 
SpyCloud Active Directory Guardian enables enterprises to greatly reduce the time, cost, and resources required to align with NIST guidelines. It prevents employees from setting passwords that fail to meet NIST’s standards. It also blocks passwords in a custom dictionary of up to 30,000 entries, passwords containing sequential or repeated characters, and billions of previously-compromised passwords from SpyCloud’s database.
Ransomware Risk Management

NIST sees compromised credential remediation as an “essential mitigation” against ransomware. In addition to its overall cybersecurity framework, NIST also offers NIST Ransomware Risk Management: A Cybersecurity Framework Profile, which includes five key functions: Identify, Protect, Detect, Respond and Recover. SpyCloud offers proactive solutions that help enable the recommendations within the Protect function.

  • Manage account and information access – ensure users have unique accounts and authenticate each user with strong passwords and MFA
  • Educate – restrict access to corporate/official accounts via personal devices

In a recent SpyCloud survey, enterprises said phishing e-mails and compromised credentials were the #1 and #2 entry points for ransomware. SpyCloud acts as a ransomware “early warning system” by immediately identifying and remediating compromised employee credentials. This reduces the number of entry points for criminals to deliver ransomware to your network.

Active Directory Guardian has saved us more than 1,000 hours. It has significantly lowered the amount of time multiple teams had to spend searching the dark web to confirm compromise — let alone remediate it.
– Al Dixon, Principal IT Security Architect of CorpIT at EBSCO Industries

Resources

BLOG
Modernize Your Password Security Policy with Latest NIST Guidelines
Read Now
A lock and a checkmark on top of credit cards represent the payment card industry
BLOG
New PCI DSS 4.0 Authentication Standards and What They Mean for You
Read Now
executive-management
CASE STUDY
Alvarez & Marsal Automates Account Takeover Prevention for 6,000+ Users with SpyCloud
Read Now
financial-services-protection
CASE STUDY
Protecting a Fortune
100 Financial Services Company
Read Now

Join us in our mission to disrupt criminals’ ability to profit from stolen data

Get a Demo