The New Year brought many things – good tidings, champagne…and new requirements for the Payment Card Industry Data Security Standard (PCI DSS).
PCI DSS 3.0 is a reality now for businesses, and though some of the requirements in it won’t be mandatory until July 1, businesses need to adjust to the standard. A full summary of the changes can be read here.
There are a number of important new provisions in the standard for businesses to focus on. For example, noted Michael Aminzade, Trustwave’s vice president of global compliance and risk services, many online retailers who redirect payments to a third party will now be in scope for compliance audits – even if they don’t touch cardholder data.
“For example, a retailer who is selling products online and taking payments through a third party payment provider will now be in scope to fulfill the compliance requirements,” he told SecurityWeek. “Whilst technically speaking, retailers are not actually transmitting, storing or processing the cardholder data they will be in scope for compliance since they can impact the flow of the card data. PCI 3.0 provides online retailers with greater clarity and education on the security of cardholder data and the need to be fully compliant with the new requirements.”
On July 1, requirements mandating more stringent penetration testing will also go into effect.
“When conducting penetration tests, merchants or whoever is performing the test, must follow an industry standard framework,” Aminzade added. “Merchants must ensure that the service they use for penetration testing for their networks, applications, databases or POS (point-of-sale) systems complies with the new requirements. The standard also mandates tester independence, meaning the person who tests the system cannot be the same individual who manages or administers the system. Finally, if a merchant puts up firewalls to segment an area of the network handling card data to reduce their scope for PCI compliance, they must now prove isolation for this area in order to enable the QSA to verify this reduction of scope, a level of assurance that is needed to be provided in penetration test reporting.”
Related to this, in section 1 the updated standard includes tighter requirements for network mapping.
“The new news is that the map requirement got tougher, starting Jan 1 – you can’t just make a diagram of wires and routers, you now need to show access, end to end, as data flows across the network,” said Mike Lloyd, CTO of RedSeal Networks. “That is, you can’t just show how many routers you own any more – you have to show how your infrastructure works, supporting your business, as you handle credit card transactions.”
Pieter Penning, an advisory principal with PricewaterhouseCoopers, noted that version 3.0 of the standard also adds a new set of requirements focused on the physical security of payment card readers.
“These new requirements (9.9, 9.9.1, 9.9.2, 9.9.3) state that the validating organization must “protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution” through maintenance of an inventory list, regular inspection of the devices, and the delivery of focused card reader security training,” he explained. “This requirement is particularly challenging to larger merchants with a geographically dispersed operating model.”
“Whilst not representing a silver bullet solution to the problem of payment card theft, the latest PCI DSS changes highlight some of the problem areas most susceptible to exploitation by cyber criminals,” said Aminzade. “They should be used as a baseline on which to build a robust, multi-layered security strategy that consists of risk assessments to identify where their valuable data lives, technologies that protect that data, services such as vulnerability scanning and pen testing to continuously identify and remediate security weak spots, and enough manpower and skill sets to make sure their security controls are installed, updated and working properly.”
“By adopting this kind of security-first strategy, businesses will have a full understanding of the level of risk that the business must maintain and be able to implement a business-as-usual approach whilst being fully-compliant with PCI 3.0,” he said.
*This story was updated to correct a quote impacted by a formatting error.
