Share

Top 5 Stories

News

PCI DSS Version 3.0 Goes Beyond Compliance

12 November 2013

The PCI Security Standards Council (PCI SSC) has published version 3.0 of the PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) for debit and credit card security, geared to move organizations from mere compliance to more comprehensive security approaches built on shared responsibility.

“Over the course of several years now, the PCI Security Standards Council has done a laudable job at defining and evolving a cohesive set of standards, as well as at listening and adapting over time to the feedback from merchants, banks, payment processors, service providers and technology providers,” said Derek Brink, vice president and research fellow, Aberdeen Group, in a statement. “The stakeholders in the payment card community seem to be working to put security and compliance in the right relationship – i.e., that compliance does not drive security; compliance is the result of foundational security practices.”

Overall updates include specific recommendations for making PCI DSS part of everyday business processes and best practices for maintaining ongoing PCI DSS compliance.

“The No. 1 thing to work on is the need to be aware of security throughout the organization and to educate across the enterprise so that everyone shares the responsibility to protect cardholder data,” said Troy Leach, CTO at the PCI Security Standards Council, in an interview. “The technology evolves, but the people and processes inside the organization remain the same. So we need ongoing awareness about accepting and storing cardholder data so that we can come together as a community to ensure the security and safety of that data.”

For instance, Version 3.0 requires that vendors use unique credentials for each merchant environment that they access, in the wake of a data breach incident in which a vendor used one password for all customers. While the password itself met PCI requirements, being alphanumeric and long, a hacker was able to gain access to one account, and then all of the rest of them within the environment.

Outsourcing in general is a guiding theme in the new version. “We have an underlying aim to make PCI a little more user-friendly than it was,” said Bob Russo, general manager, PCI SSC, speaking to Infosecurity. “We want to increase education and awareness, and we want to be more flexible. And especially for smaller merchants that outsource many of their applications, we want to stress that security is a shared responsibility, even if a third-party is doing data storage for you.”

He added that the password breach incident also points out that old tactics are still around even as news headlines focus on next-generation threats. “What we’re seeing through all of the breach reports, technology moves on and things get more complex – but the basic exploits are still being used and used successfully, like SQL injection and password issues,” Russo said. “If we can move the needle a little even on the default password problem, then we’re way ahead. So we still have to deal with the low-hanging fruit even as more ingenious ways of stealing data are created.”

Other changes in Version 3.0 include enhanced testing procedures to clarify the level of validation expected for each requirement, and the fact that guidance from the Navigating PCI DSS Guide is now built in to the standard.

“This new version incorporates more context than ever before as to how merchants can meet the requirements as they’re written,” said Leach. “That’s going to be a big improvement. We recognize that the merchants are aware of their responsibility – but they may not be as aware as they should be of how to best handle card data.”

Others concur. “The revisions made for the latest version of the PCI standards will go a long way to improving the quality of assessments and reducing overall risk,” said Kurt Hagerman, director of information security at FireHost, in an emailed statement. “Whereas with previous iterations of the standards, companies would be told how to meet each requirement, with PCI DSS 3.0 they are given both a more detailed explanation of the requirement and the ways of meeting it – a much more effective approach indeed.”

However, he also warned that merchants may not appreciate the true scale of the task. “There is however no denying that the new standards will mean an increase in time and costs for organizations to remain compliant,” he said. “Organizations only reaching the bare minimum standards of PCI DSS 2.0 right now will need to make significant revisions to their compliance strategy to reach 3.0 and I suspect SMEs will have the most to do in this regard.”

He added, “For many businesses PCI compliance has traditionally been a once-a-year exercise in reviewing business practices and ensuring the regulations are met. Constant monitoring of PCI as part of business-as-usual will require additional investment in resources and personnel for any organization.”

Specific new requirements in PCI DSS include:

  • Req. 5.1.2 - evaluate evolving malware threats for any systems not considered to be commonly affected
  • Req. 8.2.3 - combined minimum password complexity and strength requirements into one, and increased flexibility for alternatives
  • Req. 8.5.1 - for service providers with remote access to customer premises, use unique authentication credentials for each customer
  • Req. 8.6 - where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.) these must be linked to an individual account and ensure only the intended user can gain access
  • Req. 9.3 - control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination
  • Req. 9.9 - protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution
  • Req. 11.3 and 11.3.4 - implement a methodology for penetration testing; if segmentation is used to isolate the cardholder data environment from other networks, perform penetration tests to verify that the segmentation methods are operational and effective
  • Req. 11.5.1 - implement a process to respond to any alerts generated by the change-detection mechanism
  • Req. 12.8.5 - maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity
  • Req. 12.9 - for service providers, provide the written, agreement/acknowledgment to their customers as specified at requirement 12.8.2


For PA-DSS:

  • Req. 5.1.5 - payment application developers to verify integrity of source code during the development process
  • Req. 5.1.6 - payment applications to be developed according to industry best practices for secure coding techniques
  • Req. 5.4 - payment application vendors to incorporate versioning methodology for each payment application
  • Req. 5.5 - payment application vendors to incorporate risk assessment techniques into their software development process
  • Req. 7.3 - application vendor to provide release notes for all application updates
  • Req. 10.2.2 - vendors with remote access to customer premises (for example, to provide support/maintenance services) use unique authentication credentials for each customer
  • Req. 14.1 - provide information security and PA-DSS training for vendor personnel with PA-DSS responsibility at least annually

Version 3.0 becomes effective on January 1, 2014, and businesses will have one year to apply it. Some of the changes are future dated requirements that are best practices until July 1, 2015.

Changes are made to the standards every three years, based on feedback from the Council’s global constituents per the PCI DSS and PA-DSS development lifecycle and in response to market needs. Proposed changes for version 3.0 were shared publicly in August, and Participating Organizations and assessors had the opportunity to discuss the draft standards at the 2013 Community Meetings prior to final publication.

This article is featured in:
Application Security  •  Compliance and Policy  •  Data Loss  •  Identity and Access Management  •  Industry News

 

Comments

Loke says:

11 December 2013
I think over 60% of merchants will fail the PCI DSS v3 compliance due to stricter requirements. For example, how can the POS terminal device be secured when it is left in the open especially in the retail store. It is not feasible for the store owner to check the device daily, and tally the serial number with the inventory list.

~ Mr Loke

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×