With constantly changing technology and increasingly sophisticated cyber threats, how can your company maintain PCI Data Security Standard (PCI DSS) compliance? The latest version of the standard, Version 3.0, may make it easier by helping your organization make payment security “business as usual.”
The key message behind the changes is that meeting the PCI requirements shouldn’t be a once a year kind of thing. Rather, security monitoring, corrective action and reviews should be integrated into everyday business processes. Here’s what you need to know to start making that happen.
What Changes and When
Published in November 2013 by the PCI Security Standards Council (PCI SSC), Version 3.0 of the PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA -DSS) went into effect January 2014. It contains 19 evolving requirements that are new or updated. In addition, 64 existing controls have been clarified with additional guidance provided.
While you are encouraged to implement 3.0 as soon as possible, Version 2.0 remains in effect through the end of 2014 to allow time for making the transition.
The changes basically take the form of recommendations for best practices for maintaining ongoing PCI DSS compliance and enhanced testing procedures to clarify the level of validation expected for each requirement. PCI 3.0 also features an increased focus on education and making security a shared responsibility between organizations and their vendors.
That’s not to say any of this will be cheap, especially if your organization is playing catch up in terms of security protocols or lacks in-house IT security expertise and personnel. However, the cost of a breach ─ cost-wise and in terms of damage to your organization’s reputation ─ can be far greater.
Below are a few highlights of the changes.
Internal breaches can usually be tracked back to employees who are directly involved in the payment chain. Their use of weak passwords or propensity to click on phishing links can leave the door open for attacks. In other instances, they unwittingly (or wittingly) share company information on social and public platforms. Lack of employee education contributes to the problem.
PCI 3.0 addresses this with additional staff training requirements around point-of-sale (POS) security (Requirement 9.9.3) and password selection best practices (Requirement 8.4). In terms of passwords, that could include using a pass phrase instead of password as a means to improve security while making it easier to remember the phrase ─ without having to resort to using sticky notes stuck to a desk, computer screen or countertop.
There is more than one way to do security, and PCI 3.0 helps you choose the approach that works best for your business. That includes allowing you to implement the password strength that is appropriate for your security strategies (Requirement 8.2.3.) The new version also provides greater flexibility to prioritize log reviews based on your organization’s risk management strategy (Requirement 10.6).
Pay attention to Requirements 11.3 and 11.4. In addition to the existing mandated quarterly assessments by an approved scanning vendor, you now are required to implement penetration testing methodology to verify that your cardholder data environment (CDE) is properly segmented from other networks. The more rigorous penetration testing requirements will likely lead to implementation of a common pen testing standard and require that Qualified Security Assessors (QSAs) take a much closer look at testing processes to ensure organizations are following the new guidelines.
Who Does What
Shared responsibility between organizations and their vendors is a major theme of the PCI 3.0 changes and for good reason; it’s nearly impossible to go it alone when it comes to securing cardholder data, especially if you outsource portions of your IT operations. In a 2013 report by Trustwave, the compliance and information security solution provider noted that 63% of its investigations revealed that a third party responsible for system support, development and/or maintenance introduced the security deficiencies exploited by attackers.
Under 12.8.5 if you rely on third-party service providers, you must document which data security measures your organization will perform and which security measures the service provider will perform. Although merchants and others were previously required to maintain lists of vendors that connected to their cardholder data environment (CDE), another revised provision, section 12.9, requires each vendor to acknowledg e in writing t he requirements for which the vendor is responsible.
In addition, service providers that connect to CDEs will be required to use a unique set of log-on credentials for each customer (Requirement 8.5.1).This is intended to stop criminals who learn of a vendor’s log-on credentials for one merchant’s network from using the same credentials to steal card data from other merchants that use the same service provider.
Note: If you’re considering outsourcing any portion of your IT infrastructure to a data center or cloud services provider, you’re better off going with one that has undergone a PCI audit by an independent QSA. If the provider hasn’t already been certified under PCI 3.0, make sure that they plan to do so this year. Chances are a PCI-compliant provider will also be able to provide managed services that can help you meet some of your PCI 3.0 requirements as well.
Get the Details
If your business is subject to the requirements of PCI, it’s time to make IT security an integral part of how you do business. You’ll find good information on the PCI SSC web site regarding Version 3.0, including a summary of the changes between Versions 2.0 and 3.0.