How Does IoT Security Impact PCI Compliance?

By on

Click to learn more about author Rob Chapman.

From self-driving vehicles to the food lockers at your local convenience store, the Internet of Things (IoT) is virtually everywhere. In fact, it’s one of those rare technology trends that has not only lived up to big expectations but continued to surpass them.

Everyone from industry analysts such as Gartner to technology behemoths like Google and Cisco has chimed in with their IoT predictions. Consider these numbers:

  • The global IoT market revenue is $212 billion.
  • Each second, 127 new IoT devices are connected to the Internet.
  • During 2020, experts estimate the installation of 20 to 30 billion IoT devices. That number is expected to skyrocket to 75 billion by 2025!

If you want to double-check any of those numbers, feel free to ask Alexa. There’s probably a good chance you have one of those IoT devices within shouting distance.

Do Smart Devices Create More Risk?

It wasn’t long ago that nearly all internet-connected devices (laptops, servers, phones) were primarily managed by actual living, breathing people. Then the advent of widespread Wi-Fi access and inexpensive cellphone connectivity in the mid-2000s paved the way for the first generation of “smart” devices. From that point on, the floodgates have been open.

Obviously, there’s a lot of upside to IoT devices in terms of convenience and efficiency. But what’s the potential downside? It typically involves a lack of security and greater exposure to risk. Consider these examples:

  • The exciting part of the IoT revolution for many manufacturers is developing the latest shiny new thing. Using relatively inexpensive technologies such as the Raspberry Pi and Arduino, nearly anyone can produce a smart device. Yes, these platforms can theoretically be secure, but don’t count on every manufacturer sweating the security details as much as they should. Time to market and broader integration tend to take priority over security concerns.
  • When you purchase a smart device, you naturally expect to use it for a while. For example, you’re not going to get rid of a smart refrigerator anytime soon. Yet, the lifecycle of a smart product is much shorter from the manufacturer’s perspective. You might end up waiting for critical security updates years after the manufacturer has already moved on to the next generation of products.
  • If a smart device gets hacked, guess what? The attacker has a launching pad to unleash additional attacks. A single device isn’t a huge issue by itself, but if the attacker can somehow launch a coordinated denial-of-service attack using thousands of devices, that could break even the sturdiest of corporate networks.

What are the Main IoT Vulnerabilities?

We all have different levels of risk we’re willing to accept, and those levels often differ significantly between our personal lives and our professional lives. Much of that comfort level comes down to balancing control with accessibility and risk. Either way, if you plan to utilize IoT devices, you should do so with your eyes wide open.

According to the Open Web Application Security Project (OWASP), the Top 10 IoT vulnerabilities include:

1. Weak, guessable, or hardcoded passwords
2. Insecure or unneeded network services
3. Insecure ecosystem interfaces
4. Lack of secure update mechanisms
5. Use of insecure or outdated components
6. Insufficient privacy protection
7. Insecure data transfer and storage
8. Lack of device management
9. Insecure default settings
10. Lack of physical hardening

Where Does PCI Compliance Fit in?

Once you’re aware of the IoT security threats you might face, how do you implement smart devices while continuing to meet your PCI compliance obligations? After all, you shouldn’t have to stifle innovation just to avoid compliance concerns. If you’re diligent about keeping IoT devices outside the scope of PCI compliance, you can have the best of both worlds.

In commercial environments, many IoT devices reside in remote locations — such as quick-service restaurants, fueling stations, convenience stores, and retail shops. Imagine devices doing everything from monitoring fuel tank levels to maintaining beverage temperatures and managing self-serve kiosks.

From a security and PCI compliance perspective, it’s usually best to treat these smart devices the same way you’d manage any other networked device in your environment:

  • Use network segmentation (virtual LANs) to isolate IoT devices from interacting with any systems that are within PCI scope.
  • Strengthen your firewall rules to limit device interaction (for example, don’t expose cardholder data or your POS systems to your digital menu display).
  • Implement outbound egress firewall filtering and deny any inbound traffic by default.

Can You Stay Connected and Compliant?

With digital transformation continuing to accelerate, let’s assume that IoT devices are here to stay — thanks to their ability to engage customers, improve business efficiency, and quickly deliver a competitive edge. As a result, you must proactively account for the relatively poor to non-existent security on many of these devices.

Start by creating a solid plan for ensuring security through simplicity. Be careful not to expand the scope of PCI compliance. And apply the same proven network security and compliance practices you use throughout the rest of your business. In the meantime, be sure to tell Alexa I said, “Hello.”

Leave a Reply

We use technologies such as cookies to understand how you use our site and to provide a better user experience. This includes personalizing content, using analytics and improving site operations. We may share your information about your use of our site with third parties in accordance with our Privacy Policy. You can change your cookie settings as described here at any time, but parts of our site may not function correctly without them. By continuing to use our site, you agree that we can save cookies on your device, unless you have disabled cookies.
I Accept