PCI-DSS-Compliant Malware and Phishing Protection with Protective DNS

For IT security professionals tasked with protecting cardholder and payment data, achieving and maintaining PCI-DSS (Payment Card Industry Data Security Standard) compliance is a fundamental priority. 

Understanding the requirements and best practices outlined in PCI-DSS can empower your organization to create a more robust security posture, safeguarding not only your customers’ data but also your company’s reputation. This is especially true when it comes to cyber threats that can be particularly damaging, such as malware and phishing. In this blog post, we’ll explore how Protective DNS can help you maintain compliance with PCI-DSS and combat these dangerous threats.  

PCI-DSS and malicious software.  

PCI-DSS Version 4.0, which was mandated for compliance by March 2024, specifies malware protection in Section 5, “Protect All Systems and Networks from Malicious Software”. This requirement makes anti-virus, anti-malware software, and protection compulsory. 

However, inside Section 5.2, there is an exception for “system components that are not at risk for malware”. It requires such systems to be identified and their risk and capabilities periodically assessed. 

This exception is usually for 3 types of systems: 

1. Servers with a large amount of disk IO, such as for email, databases, etc. Because these systems run at a higher load than a normal computer system and very frequently write files to disk, anti-malware software will cause them to be unresponsive. As a result, if anti-malware solutions are run on these systems, they have malware scanning disabled for the sections of their storage that have high disk IO. 
2. Internet of Things (IoT) devices, including Point of Interaction/Point of Sale devices like credit card terminals. These embedded devices do not typically run an operating system that can run an anti-malware agent and have limitations in CPU, RAM, and storage that keep them from running any software other than their operating system or firmware. 
3. And lastly, there are older systems, normally referred to as “legacy systems”, that an organization might find in-scope for PCI-DSS. These systems usually are beyond official support and are not upgradeable without a complete migration to a completely different system, often with custom development and significant troubleshooting. 

The challenge with these systems lies in maintaining compliance with PCI-DSS while ensuring they are effectively protected against malware and other cyber threats. While the network adds risk by allowing malware to spread and be controlled remotely across the Internet, the network also provides an answer to malware in the form of Protective DNS. 

An introduction to Protective DNS. 

Protective DNS is a security measure that protects systems against malware by blocking access to malicious domains through the resolver service provided inside the network. Protective DNS can address threats such as phishing, malware droppers, scam websites, and malware command and control. Protective DNS can also enforce Acceptable Usage Policies for desktop and mobile users by providing categories of domains such as adult content, gambling, and social media. 

Protective DNS works by resolving DNS queries for known malicious domains to a safe landing page or sinkhole IP (Internet Protocol) address. This prevents the system from connecting to the domain, which may contain malware. 

This approach is particularly useful for protecting systems like those mentioned above that cannot run traditional anti-malware software. By blocking access to malicious domains at the network level, Protective DNS helps protect these devices from threats that could compromise their security and put sensitive information at risk. 

Advantages of Protective DNS. 

Protective DNS offers several advantages for organizations looking to maintain compliance with PCI-DSS and secure their systems against malware: 

• Additional layers of security: Protective DNS provides enhanced security for devices that cannot run traditional anti-malware software. 
• Prevents malware from spreading: This reduces the risk of data breaches and other cyber threats. 
• Easy implementation: DNS query forwarding from an on-network resolver eliminates the need for significant infrastructure changes or custom development. 
• Real-time protection: Constant monitoring and updates to the list of known malicious domains provide protection against emerging threats. 
• Gain valuable insights: With the ability to control and monitor DNS traffic, network administrators can gain valuable insight into potential security threats. 
• Cost-effective protection: Organizations of all sizes can benefit from Protective DNS as it does not require additional hardware or software investments. 

Vercara’s Protective DNS solution, UltraDDR. 

UltraDNS Detection and Response (UltraDDR) is Vercara’s next-generation Protective DNS Solution. It uses 4 distinct detection engines: 

1. The Lists Engine: Allows administrators to set up their own allowlists and blocklists or to import them from sources via URL (uniform resource locators). 
2. The Categories Engine: Leverages Vercara-provided categories for Acceptable Usage Policy compliance, such as blocking gambling, dating, and adult content. It also has categories for known malware and hacker sites. 
3. The Decision Engine: Uses a multi-petabyte adversarial infrastructure data lake that is seeded with Cyber Threat Intelligence data and 10 years of DNS history to identify newly malicious domains and block them before they can be used by cybercriminals. 
4. The Ruleset Engine: Provides a rules capability to augment or extend the other engines. For instance, rules could be applied to perform geo-blocking based on not only the IP address that an FQDN resolves to but also the country that the authoritative nameserver is in and the country code Top-Level Domain. 

UltraDDR can help you with PCI-DSS compliance. 

UltraDDR can help organizations meet or make significant strides toward several sub-requirements of PCI-DSS, depending on compliance scope, risk assessment, and the evaluation of your Qualified Security Assessor (QSA). 

Specifically, we can help organizations meet the following requirements: 

Requirement 5. “Protect All Systems and Networks from Malicious Software” 

UltraDDR employs four distinct detection engines to offer comprehensive system and network defense against malicious software. 

Requirement 5.2. “Malicious software (malware) is prevented, or detected and addressed.” 

UltraDDR effectively safeguards against the initial malware infection by meticulously blocking phishing and malicious download links. If a system is infected via a means other than the network, such as USB storage, UltraDDR will detect and address the malware as it downloads subsequent toolkits or communicates with its command-and-control server. 

Requirement 5.2.1. “An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.” 

UltraDDR enhances device security by offering malware protection at the network level, safeguarding even those devices that might not typically be at risk from malware. 

Requirement 5.2.2. “The deployed anti-malware solution(s): Detects all known types of malware. Removes, blocks, or contains all known types of malware.” 

UltraDDR possesses the capability to identify, block, and contain both known and unknown malware by either blocking it outright or preventing its communication with command-and-control systems. 

Requirement 5.2.3. “Any system components that are not at risk for malware are evaluated periodically to include the following: A documented list of all system components not at risk for malware. Identification and evaluation of evolving malware threats for those system components. Confirmation whether such system components continue to not require anti-malware protection.” 

Protective DNS services, such as UltraDDR, offer robust protection against malware and other cybersecurity threats. Consequently, the process of listing and evaluating exceptions demands less effort. 

Requirement 5.3. “Anti-malware mechanisms and processes are active, maintained, and monitored.” 

UltraDDR provides active, timely logging of all DNS traffic for auditing, incident response, and threat hunting. Administrators can perform these actions inside the web administrative console or via API (Application Programming Interface). 

Requirement 5.3.2. “The anti-malware solution(s) is kept current via automatic updates.” 

By offering malware prevention and protection as a service that’s backed by Cyber Threat Intelligence, UltraDDR constantly and automatically updates its definitions of malware and other attacks.  

Requirement 5.3.2. “The anti-malware solution(s): Performs periodic scans and active or real-time scans. OR Performs continuous behavioral analysis of systems or processes.” 

UltraDDR performs behavioral analysis of systems based on their DNS queries to detect network traffic bound for malicious infrastructure such as phishing links, malware droppers, and command and control servers. 

Requirement 5.3.4. “Audit logs for the anti-malware solution(s) are enabled and retained in accordance with Requirement 10.5.1.“ 

UltraDDR stores DNS logs and makes them available to customers via the web interface, API, or object storage. 

Requirement 5.3.5. “Anti-malware mechanisms cannot be disabled or altered by users, unless specifically documented, and authorized by management on a case-by-case basis for a limited time period.” 

By providing malware protection in the network, enterprise users can’t alter or disable their anti-malware protection. 

Requirement 5.4. “Anti-phishing mechanisms protect users against phishing attacks.” 

By combining big data techniques with Cyber Threat Intelligence, UltraDDR is very capable of detecting and blocking phishing attacks. 

Requirement 5.4.1. “Processes and automated mechanisms are in place to detect and protect personnel against phishing attacks.” 

UltraDDR is an automated, proactive mechanism that detects and protects personnel against phishing attacks before they can cause damage. 

Harnessing UltraDDR: the road forward. 

UltraDDR revolutionizes protective DNS, offering a robust in-depth defense strategy that aligns with PCI-DSS V4.0 requirements. This solution effectively addresses the malware protection challenges associated with servers, IoT devices, and legacy systems. Additionally, it enhances the anti-malware defenses within the Cardholder Data Environment (CDE) specified inside PCI-DSS, providing a comprehensive and simplified approach to security. 

The adoption of Vercara UltraDDR not only helps with compliance, but it is also a novel and highly effective way to protect against a wide variety of abuses, enforce security policy, and address risks to operate safely online. 

Visit the Protective DNS solution page to learn more about UltraDDR and how it can protect your organization against phishing and malware.