A brand new set of IT security standards governing how companies should protect consumers' credit card data took effect this month, creating new compliance headaches for any company that stores, processes, or transmits cardholder data.
The Payment Card Industry Security Standards Council released version 3.0 of the PCI Data Security Standards (PCI DSS), significantly raising the bar on payment card data security by establishing several new compliance requirements for a wide range of industries, including retailers, payment card processors, financial institutions, and service providers. The standards were last updated in 2010.
The updated standards come as some retailers, including Target, Neiman Marcus, and others have revealed massive thefts of credit card information by hackers. While the new controls could help limit such data breaches, keeping up with the changes is no easy task, say data security companies. With each version comes additional changes, “so by the time a company has it all figured it out, a new version comes out, and they have to implement additional controls,” says Gene Geiger, a director at A-lign Security and Compliance Services, a security assessment firm.
The PCI Security Standards Council, an open global forum responsible for the development of the PCI Security Standards, was founded in 2006 by five global payment brands—American Express, Discover Financial Services, JCB International, MasterCard, and Visa. The Council does not impose penalties for non-compliance; these areas are governed by the payment brands themselves.
The main focus of PCI DSS 3.0 is to shift PCI compliance from being a once-a-year exercise in reviewing business processes to making such monitoring part of the overall fabric of the company, Geiger adds.
The new standards will be phased in over time. Although the new standard took effect at the start of the year, compliance with both version 2.0 and 3.0 will be acceptable until Jan. 1, 2015. After that time, compliance with version 3.0 will become mandatory, with the exception of certain complex changes, which will be deemed “best practice” until July 1, 2015, when they officially take effect.
One of the most significant changes calls for enhanced penetration testing to verify that companies properly segment cardholder data environment—the people, processes, and technology that process, transmit, and store cardholder data—from other network systems. “Segmentation equals isolation,” says Michael Aminzade of information security firm Trustwave.
“For all of us in retail, we're going to see the biggest impact around segmentation,” says Thomas Borton, director of IT security and compliance for home furnishings retail chain Cost Plus World Market, and a member ISACA's Knowledge Board.
Companies must further perform penetration tests to demonstrate that the segmentation methods are operational and effective. Unlike PCI DSS 2.0, version 3.0 requires that a “qualified security assessor” perform the testing.
The requirement for a certified security expert will increase the cost of compliance says Borton. “That means a lot more preparation by the security folks,” he says. More testing translates into “a lot more billable hours to our external QSAs,” he adds.
New POS Device Safeguards
The new standards also now require that retailers inventory and protect point-of-sale (PoS) devices—the devices that consumers use to swipe their cards when making purchases. From a compliance point-of-view, knowing the location of each PoS device is a fairly manageable task, says Borton. “We know which stores are given PoS devices,” he says.
Where the real compliance challenge lies is in the additional requirement that retailers perform periodic on-site inspections in every store where PoS devices are located to inspect them for evidence of tampering and further train their employees at those locations on how to detect and prevent tampering.
For large global retailers, “that's going to be a tremendous task,” says Geiger. “That is the biggest one that merchants need to start now, because it's going to take time to get those procedures in place.”
“For all of us in retail, we're going to see the biggest impact around segmentation.”
—Thomas Borton,
Director of IT Security,
Cost Plus World Market
Even for small- to mid-size companies, such as Cost Plus World Market, that's a tremendous task. “I don't have an information-security person in every store,” says Borton.
Rush Taggart, chief security officer at service provider CardConnect, says many companies don't have the expertise at the store level to conduct such inspections. “How is a sales clerk going to identify physical modifications?” he says. “These are not technical people being asked to verify these devices.”
For companies with large sales forces that use significant numbers of PoS devices, Taggart adds, this requirement is going to prove to be a “tremendous training challenge” in terms of how to achieve this particular compliance task.
Service Provider Duties
PCI DSS 3.0 also includes newly established responsibilities for service providers. Retailers are not the only ones who have access to customers' credit card data in the payment-process chain, explains Geiger. In many cases, retailers turn to service providers to host the servers on which the credit card numbers run, or they are responsible for the back-up of that data, he says.
To address this gap in security, retailers must document which of the more than 200 requirements are managed by each service provider and which are managed by the retailer itself. “That's going to impact our clients quite a bit,” says Geiger, adding that A-lign focuses heavily on the service provider space.
Taggart agrees. “Vendor negotiations are never easy, and this is just going to significantly increase the difficulty of negotiating service provider agreements,” he says.
WHY PCI DSS 3.0?
Below is an excerpt from the PCI Security Standards Council's Infographic on the new PCI DSS 3.0 standard.
PCI DSS 3.0 helps organizations focus on security, not compliance, by
making payment security business-as-usual. How?
1.Increased Education and Awareness
Either because of lack of education or policy enforcement, employees leave the door open for attacks by picking weak passwords, clicking on phishing links, or sharing company information on social and public platforms.
Employees directly involved in the payment chain—like cashiers, waiters, and bank tellers—often are most often responsible for internal breaches.
By increasing awareness and education across organizations, we can help drive payment security as good business practice.
What's New?
Best practices for implementing security into business-as-usual activities to maintain on-going PCI DSS compliance
Navigating the PCI DSS guidance added for easier understanding of each requirement and security goal
Req. 8.4 – Password education for users
Req. 9.9 – POS security training and education
2.Greater Flexibility
Organizations can implement the password strength that is appropriate for their security strategy.
Greater flexibility recognizes there is more than one way to do security, allowing organizations to choose the approach that works best for their business.
What's New?
Req. 8.2.3 – Allows for organizations to implement
the password strength that is appropriate for its
security strategy
Req. 10.6 – More flexibility to prioritize log reviews
based on organization's risk management strategy
3. Security as a Shared Responsibility
63 percent of investigations identifying a security deficiency easily exploited by hackers revealed a third party responsible for system support, development, or maintenance.
Many businesses are adopting an outsourced, third-party IT operations model, but this can be a security risk.
As industry leaders, we need to work together to manage risks and keep information secure.
What's New?
Guidance on outsourcing PCI DSS responsibilities
Req. 12.9 – PCI DSS responsibilities for service providers
Source: PCI Security Standards Council.
“As a service provider, these are the changes we need to include in our plan,” adds Taggart. “We're audited by an external firm, so I'm planning on starting next month for the changes, so that I can be ready when our 2014 assessment happens in September.”
PCI DSS 3.0 also prohibits service providers from using the same user ID and password for multiple retailers where they install card-swipe machines. If one retailer has its user ID and password compromised, and that retailer experiences a breach, that opens up vulnerabilities at all those other retailers. In fact, several breaches that have occurred over the last year have been the result of such security gaps, experts say.
More Clarifications
Not all of the new standards make compliance more difficult. With earlier versions of PCI, companies were receiving many different answers from security assessors on interpretation of the standards, explains Taggart. “The good news is that they've clarified a lot of the language,” he says.
PCI DSS 3.0 also addresses knowledge gaps by adding clarifications in many areas of the standards on exactly how to comply. “The individuals that are responsible for implementing and performing the controls still aren't fully educated or aware of what they're supposed to be doing,” says Geiger. The new standards include more guidance for them.
The one caveat is that some QSAs have varying opinions as to how the standards will apply to each cardholder environment, says Geiger. As a result, knowing the full effect of the standards will not be possible without first meeting with your QSA and reviewing all the changes to the new standards, he says.
Borton says the only way that with each new version of the PCI standards, he needs to “sit down with my QSA and go through item-by-item on what their strategy is going to be, so they can feel comfortable on signing off the review of my system.” Retailers must also clearly communicate with their QSAs “to know exactly what their expectations are, and then budget for them.”
No comments yet