Helping Enterprises Meet Compliance Requirements

Enterprises face an ever-increasing list of regulatory compliance obligations, and the level of compliance can vary by industry. Learn how SpyCloud’s account takeover (ATO) and online fraud prevention solutions can help you meet the growing regulatory compliance needs of your organization, including Payment Card Industry Data Security Standard (PCI DSS), Payment Services Directive 2 (PSD2), and National Institute of Standards and Technology (NIST).

Payment Card Industry Data Security Standard, or PCI DSS, is a regulatory standard developed by credit card companies to help protect cardholder data. PCI DSS applies to any organization that processes, stores, or transmits credit card data and v4.0 updates include new guidance on passwords and a focus on malware.

Supporting Products:

The latest version of PCI DSS standards (v4.0) call for stronger authentication factors to identify users, as well as updated guidance on password complexity. Now, the standards body’s minimum requirements for passwords/passphrases are 12+ characters (up from 7 in previous versions), including both alphabetic and numeric characters. 

At SpyCloud, we understand the importance of password security when it comes to online accounts and transactions. Account takeover (ATO) is a common form of fraud in which criminals use stolen credentials to gain illegitimate access to a victim’s accounts, often using credentials that have been exposed in previous data breaches. When consumers use weak or compromised passwords, criminals jump at the chance to take over their accounts and steal funds, drain loyalty accounts, and make fraudulent purchases. 

We also appreciate PCI’s focus on malware, as we are seeing an increase in malware logs in our recaptured data from the criminal underground. Information pilfered by malware-infected machines is shared in small criminal circles, private chat groups, and also posted on underground hacking web forums. SpyCloud is able to recapture and deliver this data to enterprises so they can take action on victim’s exposed credentials and stolen web session cookies. This helps consumers and organizations protect themselves before criminals can leverage their stolen data for ATO, identity theft, and online fraud. 

Using the SpyCloud data, we discover anywhere from 3,000 to 11,000 direct matches per hour. Every one of those exposed accounts could have led to account takeover.
– Online Travel Booking Company
PSD2 Logo
Supporting Products:

PSD2 requires Payment Security Providers (PSPs) to establish a framework with appropriate mitigation measures and control mechanisms to manage security risks relating to the payment services they provide. For PSPs, the ability to regularly check your user accounts against the most timely, actionable collection of compromised authentication data available anywhere provides peace of mind in ensuring PSD2 compliance.

Stronger Customer Authentication (SCA)
According to PSD2, Stronger Customer Authentication (SCA) promotes multi-factor authentication (MFA), which unfortunately isn’t foolproof. Malware-infected devices create an extreme risk for online fraud and identity theft. Beyond login credentials, criminals have access to device and session cookies that allow them to bypass MFA and impersonate consumers. SpyCloud identifies consumers whose cookies have been stolen by malware, enabling enterprises to invalidate their active sessions, and prevents criminals from using the stolen cookies to take over accounts.
Transaction Risk Analysis (TRA)

Balancing SCA with a seamless customer experience is a greater challenge that can be solved with Transaction Risk Analysis (TRA), a method for identifying fraud by observing the behavior in the transaction by the counterparties involved. Tapping SpyCloud’s database, PSPs can regularly check on their consumers to identify if they are at high risk of credential exposure or transacting on an infected machine as an out-of-band check or in-line during the authentication workflow. TRA is not new, but PSD2 strengthens the need for it, particularly when it can be deployed in real time, which is exactly what SpyCloud helps deliver.

With SpyCloud’s botnet data, we’ve protected thousands of accounts representing tens of millions of dollars of funds.
– Global Fintech Company
Supporting Products:
Digital Identity Guidelines
In its most recent guidelines regarding password security, NIST offers recommendations that organizations can implement to further strengthen their security posture, including:
  1. Require long, not necessarily complex, passwords 
  2. Don’t force password resets 
  3. Screen passwords against a list of compromised credentials 
  4. Enable multi-factor authentication (MFA) whenever possible 
SpyCloud Active Directory Guardian enables enterprises to greatly reduce the time, cost, and resources required to align with NIST guidelines. It prevents employees from setting passwords that fail to meet NIST’s standards. It also blocks passwords in a custom dictionary of up to 30,000 entries, passwords containing sequential or repeated characters, and billions of previously-compromised passwords from SpyCloud’s database.
Ransomware Risk Management

NIST sees compromised credential remediation as an “essential mitigation” against ransomware. In addition to its overall cybersecurity framework, NIST also offers NIST Ransomware Risk Management: A Cybersecurity Framework Profile, which includes five key functions: Identify, Protect, Detect, Respond and Recover. SpyCloud offers proactive solutions that help enable the recommendations within the Protect function.

  • Manage account and information access – ensure users have unique accounts and authenticate each user with strong passwords and MFA
  • Educate – restrict access to corporate/official accounts via personal devices

In a recent SpyCloud survey, enterprises said phishing e-mails and compromised credentials were the #1 and #2 entry points for ransomware. SpyCloud acts as a ransomware “early warning system” by immediately identifying and remediating compromised employee credentials. This reduces the number of entry points for criminals to deliver ransomware to your network.

Active Directory Guardian has saved us more than 1,000 hours. It has significantly lowered the amount of time multiple teams had to spend searching the dark web to confirm compromise — let alone remediate it.
– Al Dixon, Principal IT Security Architect of CorpIT at EBSCO Industries

Join us in our mission to disrupt criminals’ ability to profit from stolen data