PCI Compliance Alone Will Not Prevent The Next Breach

PCI Compliance Alone Will Not Prevent The Next Breach


Share on linkedin
Share on facebook
Share on twitter

Back in 2004, the Financial giants Visa, American Express, Discover Financial Services, and JCB International together with the Security Standard Council formed the PCI DSS (Payment Card Industry Data Security Standard). The PCI DSS is a set of security standards including 12 requirements for protecting cardholder data and maintaining a safe and secure payment ecosystem. 


Any entity that is subject to the PCI security standard must be compliant and moreover, must ensure that the compliance is still valid according to the updated protocols on a yearly basis. PCI security applies to any company globally storing information, processing, or transmitting cardholder data from small start-ups to international organizations.


Despite substantial investments made in securing their networks, organizations are realizing that PCI security compliance alone does not guarantee protection against advanced cyberattacks.

The myriad of successful cyber attacks against financial institutions in the past year is a testament to this simple truth.  Many of these attacks were caused by attackers exploiting weak points in these organizations’ network perimeters that were left exposed and unmanaged – weak points which the PCI DSS’s requirements don’t cover. 

Achieving PCI compliance as well as a good security posture must begin by obtaining comprehensive and ongoing visibility of your external attack surface, related risks, and threats. 


Reposify’s external attack surface management platform delivers autonomous, 24/7 discovery of internet exposed assets across all environments and the supply chain. Automating the discovery, inventory, classification, risk analysis, and scoring allows you to streamline the risk assessment process and ensure you are well-informed for the purpose of PCI DSS compliance.

When it comes to your internet-facing assets, Reposify’s platform significantly enhances your security posture and goes beyond the PCI DSS requirements.  Not only it helps you to eliminate vulnerabilities within your known networks but also discovers and helps you eliminate risks resulting from your unknown connected assets that exist outside of your known network ranges.

Here is how Reposify’s capabilities help support the PCI security standard’s technical and operational requirements:

Requirement 1:  Install and maintain a firewall configuration to protect cardholder data 

PCI Security Requirement: 1.1.4.c Observe network configurations to verify that a firewall is in place at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone, per the documented configuration standards and network diagrams. 

How we help: Through Reposify’s integration with Palo Alto Networks’ Cortex, the system automatically identifies your internet exposed assets that are not behind a firewall and sends you an alert.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters 

PCI Security Requirement: 2.2.1 Implement only one primary function per server to prevent functions that require different security levels from coexisting on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.)

How we help: In cases that there is more than one service on any given asset (server) Reposify will identify all of the exposed services, automatically analyze them for security issues and alert you.

PCI Security Requirement: 2.2.2 Enable only necessary services, protocols, daemons, etc., as required for the function of the system.

How we help: Reposify continuously identifies the services and protocols that are exposed to the web in real-time. Users can easily set up alerts to notify them when an unnecessary service or protocol is enabled.

Requirement 6: Develop and maintain secure systems and applications 

PCI Security Requirement: 6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities. 

How we help: Reposify’s external attack surface management platform autonomously discovers and monitors your entire internet-facing asset inventory and analyzes every asset for a range of security issues including CVEs, cryptographic issues, misconfigurations among others. Every asset is assigned with a risk score. An action plan with remediation guidance is automatically generated.

PCI Security Requirement: 6.4.1.b Examine access control settings to verify that access controls are in place to enforce separation between the development/test environments and the production environment(s).

How we help: The platform identifies production and test environments that are exposed to the web and whether they are within the same IP address space or not. If they are, the system can send an alert on such issues in real-time.

PCI Security Requirement: 6.6  For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:  

  • Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes
  • Installing an automated technical solution that detects and prevents web-based attacks.

How we help: Reposify’s platform autonomously discovers, and monitors unknown risks and helps you prevent web-based attacks in real-time. Reposify goes beyond publicly registered IPs and domain data which rely mainly on DNS and WHOIS and discovers all your unknown internet-facing assets no matter where they are located. Your external attack surface is continuously monitored so you can always stay up to date.

Requirement 8:  Identify and authenticate access to system components 

PCI Security Requirement: 8.7 All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted as follows: 

  • All user access to, user queries, and user actions on databases are through programmatic methods. 
  • Only database administrators have the ability to directly access or query databases. 
  • Application IDs for database applications can only be used by the applications (and not by individual users or other non-application processes). 

How we help: The platform identifies assets (databases, files server, login pages, etc.) that are exposed to the web and not properly restricted in real-time.

Requirement 12:  Maintain a policy that addresses information security for all personnel. 

PCI Security Requirement: 12.2 Implement a risk-assessment process that: 

  • Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), 
  • Identifies critical assets, threats, and vulnerabilities, and 
  • Results in a formal, documented analysis of risk. 

How we help: Reposify’s platform delivers comprehensive visibility of your external attack surface so you can quickly discover all your connected assets and related risks and ensure your risk assessment process is based on accurate and objective ground truth.


Proprietary agentless scanning technology continuously maps, indexes the entire internet and collects data on every connected asset. Classification and association engines analyze all the assets and automatically create your complete inventory, including both your known and unknown exposed assets.

Passive and non-intrusive active scanning techniques detect exposures, cryptographic issues, misconfigurations, remote code execution risks, CVEs & more. Intelligent risk prioritization & adaptive security scoring rank the risks based on multiple variables,  so you know where to focus first.

PCI compliance is important but PCI alone isn’t enough to prevent data breaches and other security incidents. Maintaining a good security posture overtime requires complete  and real-time visibility into potential asset exposures and risks.

Want to guarantee a good security posture for your organization?  Contact us today to get a complete and real-time view of your external attack surface.

New call-to-action

Reposify is an attack surface management platform delivering autonomous 24/7 discovery of exposed assets across all environments and the supply chain. Leading enterprises worldwide use Reposify to gain unparalleled visibility of their internet-facing assets and actionable security insights for eliminating shadow IT risks in real-time


Share on linkedin
Share on facebook
Share on twitter

Ready to discover your External Attack Surface?

Read Next

Why Only EASM can provide the protection necessary to guard against RCE threat

In April, VMware issued a series of patches to guard against vulnerabilities in a number of products. Among the most critical is CVE-2022-22954, a remote code execution RCE threat that puts organizations at risk of cyber attack. Only EASM can provide thorough cybersecurity protection against remote code execution hacks, with real-time asset monitoring and identification and clear, actionable insights for immediate intervention.

Detect to protect: Reposify’s EASM flags exposed assets vulnerable to Microsoft SMB (CVE-2022-26809)

Microsoft covered more than 100 vulnerabilities in April's security update, among them patches to critical remote code execution (RCE) vulnerabilities located in Microsoft’s SMB. In response Reposify's EASM platform scanned and identified 800,000+ nodes with open SMB protocol on both patched and unpatched systems. Read our latest blog and learn how Reposify's EASM can detect unknown exposed assets vulnerable to Microsoft’s SMB.

Security teams: here’s why you should choose EASM over Shodan?

If you are using Shodan to search for your company’s assets or perform reconnaissance as part of blue or red teams routines - you need to keep reading.