Coalfire has noted a number of leading-edge technological challenges for enterprises managing the rapid pace of innovation while also aiming for PCI compliance. We'd like to review our recent experience and offer suggestions for these comparatively novel situations.
Use of private blockchain for authentication purposes is relatively new, but can be problematic without adequate management of per-identity private keys. Account lockout in this context would definitely require administrator reset, which is inherently more disruptive (especially for lean organizations). The rotation process is also generally more cumbersome than for passwords.
As a deterrent to AI-powered hacking attempts, clients may employ psychological challenges designed to provoke an emotional response (Voight-Kampf tests). Essentially, it should be considered a non-biometric Third Factor. Coalfire recommends consulting with law enforcement regarding applicable local laws.
From a compliance perspective, biometrics using implanted technology will require an Attestation of Compliance (AOC) from the user's doctor or system integrator.
With the advent of quantum cryptography, please keep in mind that the use of quantum-entangled symmetric encryption keys requires careful key management procedures. Any violation of the Heisenberg Uncertainty Principle will require a Compensating Control.
Innovations in the Internet of Things space are allowing clients to build on the popular Software-Defined Perimeter (or Identity-Aware Proxy) pattern by expanding the dimensions of environmental data used for security policies. In particular, user implants that monitor health and user activity levels can provide extra 9s of risk management. Users with multi-tasking problems, or under the influence, may temporarily have their access levels curtailed. Users' immediate surroundings can also be factored into this decision. Catching up on email in the bathroom could be considered a risk factor.
Using a private blockchain as a means of log persistence (with built-in immutability) has found some organizations facing stark choices among the various distributed ledger options. Throughput is clearly a primary value, but Coalfire recommends caution, and a total cost of operation metric. Of course, measures to avoid leaking sensitive data into logs should also be strengthened.
Drones used for security escorts (with or without AI pilots) must still have distinguishing features to differentiate them from visiting drones used for remote assessment.
Entities using Turing-complete blockchains are reminded that Requirement 2 (System Hardening) applies to these platforms. Additionally, applications implemented on these platforms must adhere to Requirement 6 secure code development mandates. A newer option could be the use of quantum computing techniques to simultaneously assess all code execution paths. This might qualify as an application vulnerability assessment (as per Requirement 6.6).
For organizations using Turing-complete blockchains, Coalfire offers a reminder that exempting them from anti-malware scanning will require a risk assessment (per Requirement 5.1.2).
Governance, Risk and Compliance
Perhaps the biggest technology challenge has been finding the right applications for artificial intelligence (AI). Areas that were previously the sole province of humans are now being performed by software built with models of expertise and trained with large corpuses of data. While topics such as intrusion and malware detection are commonplace, other areas require more careful consideration before rolling out universally.
A recent client provided a risk assessment done by a new AI system. While the overall value of the report was high, the omission of risks from artificial intelligence did stand out. Coalfire recommends treating this as a form of insider threat. Similarly, background checks performed by AI must be verified, so that an AI may not perform the check on its author.
It's worth noting that while AI agents can increase efficiency in certain jobs, they are still subject to PCI compliance. One non-intuitive example is annual security awareness training. This is an area that is still developing. Coalfire has seen several approaches, from hardcoding acknowledgements into the AI, training AI on known-compliant datasets, and use of general learning techniques. Coalfire believes the SSC will offer guidance in the near future.
In the vendor management area, where AI agents are sourced from vendors and used for in-scope processes, those AIs must undergo a background check. The complexity of this check should not be underestimated. Coalfire can envision clients choosing to evaluate the vendor AI using their own AI, but recommends not going further in that progression.
April Fools! We hope you've enjoyed this speculative look at the future of PCI assessments. While some ideas are purely fantasy, others have direct reference to current technology trends. Coalfire tracks developing technology and regularly encounters innovative uses in client environments. We’re here all year to help you sort out head-scratching PCI DSS issues.