According to Privacy Rights Clearinghouse, over 10 billion consumers’ data has been compromised across an estimated 17,000+ incidents since 2002. These data breaches can be debilitating for customers, especially when sensitive financial information (like payment card numbers) is exposed. Moreover, breaches are costly for organizations as well. IBM estimates that in 2024, a data breach will cost organizations an average of $4.88 million—a 10% cost increase from last year.
To protect consumers and organizations, the Payment Card Industry Security Standards Council (PCI SSC) has established data security standards (PCI-DSS) for any organization that accepts consumer payment cards. The latest version, PCI DSS v4.0, introduces numerous new measures, including enhanced protection against emerging attack vectors, improved reporting mechanisms, and more granular access control. For compliance, risk, and governance teams, integrating these new requirements while maintaining existing protocols presents a significant and overwhelming challenge.
In this blog post, we’ll cover how crowdsourced solutions, specifically bug bounty programs, can effectively meet PCI security requirements, reducing the load on security and compliance teams.
What are crowdsourced solutions?
Crowdsourced solutions leverage hackers who attempt to hack organizations in good faith to find vulnerabilities and report them to the organizations before a malicious actor can exploit them. Since the 1970s, hackers have been essential members of the security ecosystem, helping thousands of organizations secure their systems.
Examples of crowdsourced security solutions include:
- Vulnerability Disclosure Programs (VDP): These function as a “neighborhood watch” for discovering vulnerabilities. Hackers can report vulnerabilities to the organization without compensation. VDPs promote security awareness and collaboration between organizations and the broader security community.
- Managed Bug Bounty Programs: Similar to VDPs, but with a key difference— they offer financial incentives (“bounties”) for reporting security flaws. The reward typically increases with the severity of the reported issue, encouraging hackers to focus on identifying the most critical vulnerabilities.
How can bug bounty programs meet PCI requirements?
PCI guidelines call out bug bounty programs as an effective means of meeting critical security requirements. Here are two examples of PCI requirements where these programs are mentioned:
- Vulnerability assessment for in-house software: PCI-DSS 4.0 / 6.3.1 recommends bug bounty programs as a potential solution for assessing vulnerabilities in internally developed software.
- Public vulnerability reporting: PCI’s Mobile Payment on COTS (MPoC) v1.0.1 requirements A.4.2.1, D.2.1.4, and D.4.2.1 suggest bug bounties as options for security testing and reporting.
What are the benefits of bug bounty programs?
Forrester estimates that over a period of three years, Bugcrowd’s bug bounty programs can help organizations reduce the risk of a material breach by up to 30% and save them $1.43M over three years. This impact stems from three benefits:
- Comprehensive testing: Bug bounty programs incentivize hackers to find the most critical vulnerabilities across all areas of a given application. This increases the chance of identifying critical security flaws that traditional security methods might overlook.
- Quick results: The financial incentives paid out by managed bug bounty programs encourage hackers to report vulnerabilities promptly, reducing the potential window of opportunity for malicious hackers.
- Consistent mechanism: Crowdsourced solutions including bug bounty programs ensure a continuous safety net for catching any issues, especially as the team ships new code, reducing the likelihood of regressions.
These solutions have been widely adopted across various sectors. For instance, PayPal launched a bug bounty program in 2018, garnering over 1,600 reports from nearly 800 participating hackers. In the public sector, the General Services Administration (GSA) maintains an ongoing bug bounty program that has uncovered 178 valid reports. Many organizations, from the private to the public sector, have implemented these solutions. Here’s a comprehensive list of companies implementing public bug bounty programs at Bugcrowd.
Partnering for comprehensive security solutions
Selecting appropriate security solutions to improve an organization’s security posture while meeting compliance requirements like PCI-DSS can be challenging, especially given an evolving threat and regulatory landscape. Many organizations collaborate with experienced partners to develop a security strategy tailored to their specific needs, scale, and objectives.
Bugcrowd offers services that combine traditional security methods, such as penetration testing, with newer approaches like crowdsourced solutions. To get started with Bugcrowd, chat with a security expert today.