On November 7, the Payment Card Industry (PCI) updated security requirements for handling credit card numbers and related data. The updated Data Security Standard (DSS) 3.0 reflects a number of key changes important to any organization that stores, processes, or transmits cardholder data (CHD). The new requirements become effective January 1, 2014. The older 2.0 standard will remain active until December 31, 2014 to help ensure adequate time for the transition.
Overview of changes
The new standard can be obtained from the PCI Security Standards Council website. Version 3.0 clarifies existing requirements and adds several new requirements. Here’s a quick breakdown:
- Section 5 (Malware) – organizations need to evaluate evolving malware threats for systems not commonly affected by malware. This includes mainframes and mid-range systems.
- Section 8 (Access management) – the minimum password complexity and strength requirements are combined into one. There is now increased flexibility for meeting password requirements using authorized alternatives. Service providers with remote access to customer premises must use unique authentication credentials for each customer. Any physical or logical security tokens must be linked to an individual account.
- Section 9 (Physical access) – card-reading devices at the point of sale must be protected from tampering and substation.
- Section 11 (Test systems) – pen testing must use industry-accepted methodologies (such as NIST). The security assessor must validate network segmentation. Processes for responding to change-detection alerts must be used.
- Section 12 – (Policy) – new requirements for how service provider validation is maintained and vetted.
The updated standard will bring change to how assessors validate compliance. Organization should expect QSAs to take a fresh look at cardholder data environments and scope validation. PCI DSS 3.0 has very stringent requirements for compliance testing. As a result, areas that were marginal under 2.0 will most likely not be compliant under 3.0.
Tips for achieving compliance in a “post 3.0” world
The focus of PCI DSS is the protection of cardholder data. In the past, the objective of many compliance programs has been focused on compliance itself. However, the primary objective should be security of data. Therefore, organizations should integrate a business-as-usual perspective into their security program. Generally speaking, if your organization is truly secure, compliance validation is not going to be a major issue.
To help secure payment card data (and achieve DSS compliance), organization should consider using a prioritized approach to incrementally protect against risk factors and threats. Assess gaps between 2.0 and 3.0 requirements and identify issues in any existing processes. Consider existing technology and determine what improvements are required. After evaluating the gaps and estimating the timeline, cost, and other factors, determine if the resources necessary to achieve security are available internally or via outsourcing. Document the 3.0 migration plan and begin to implement it well ahead of industry deadlines.
Remember, PCI compliance is achieved through the security of cardholder data. Studies show that 96% of all organizations with a breach were not compliant at the time of incident (Verizon, 2012). This figure establishes a simple correlation between non-compliance and breach likelihood. However, the cause of breach is not non-compliance. This fact can be established by the 4% of compliant organizations that suffered a breach of cardholder data. Accordingly, we can determine that the cause of cardholder data breach is poor security practices. Policies, procedures, and technology are ineffective if they are not implemented properly, systematically monitored and maintained, and used by organizations that embrace security as a fundamental operating principle.
For more information and guidance on compliance and security, visit Terra Verde Services.
About Patrick Bass
Patrick Bass, Director of Security Solutions at TerraVerde, is a CISSP with over 16 years experience leading IT security in the financial services, healthcare and technology industries.