Version 3.0 of the Payment Card Industry Data Security Standard (PCI DSS) is due to be published on Nov. 7.
That may send shivers down your spine, but the reality is, as technology advances and threats evolve, payment security requirements need tweaking.
First things first: Don't panic. Merchants won't have to start validating compliance with the updated standard until Jan. 1, 2015. However, if you're going to be ready by then, it's a wise idea to start getting a handle on the changes now.
While I love how PCI DSS has forced organizations to more aggressively consider data security as part of their day-to-day operations, I also recognize how the standard can sometimes be confusing and overwhelming - especially when there are changes.
Our job at Trustwave is to make the transition to version 3.0 easier on you. That is why, based on conversations with and "Change Highlights" documentation provided by the PCI Security Standards Council, I complied eight of the most important changes (both general and more specific) that I expect we'll see in the forthcoming version.
Nothing, of course, is official until the updated standard is published, but I believe becoming familiar with these eight things will make your migration to PCI DSS 3.0 less stressful and more manageable.
1) PCI compliance is an everyday thing.
Organizations often struggle to maintain compliance obligations due to senior management wanting to keep these costs as low as possible. This results in a check-the-box mentality that focuses on achieving compliance only at a given point in time. The updated requirements are expected to introduce "business as usual" guidance, meaning senior management will be responsible for ensuring someone is maintaining PCI controls and obligations at all times.
2) Temporary employees need training as well.
Expect PCI DSS version 3.0 to extend security awareness training requirements to temporary workers, in addition to permanent staff. This will have a large impact on industries such as retail or where any temporary workforce interacts with systems that are connected to the cardholder data environment (CDE). Merchants tend to increase their temporary workforce at peak periods like Christmas and Easter. Plan accordingly.
3) The term "isolation" offers hope for reducing scope.
Due to industry challenges around the definition of a cardholder data environment (CDE), the standard's scoping guidance likely will be improved and tightened. By the requirements emphasizing the word "isolation," qualified security assessors (QSAs) will be able to provide the required level of guidance when defining a CDE. In addition, I believe there will be a requirement to provide assurance of isolation of the CDE in version 3.0 audits. This will require a penetration test of the complete CDE boundary and will include security systems and devices that live outside of the CDE network boundary.
4) Get to know your service provider.
One of the current challenges with merchants outsourcing their payment systems is the lack of contractual terms that clearly cover responsibility and liability of data during the engagement. The new version of the PCI DSS will likely include language that all new contracts must clearly state that the service provider understands their responsibility for card data when it is in their possession. They will also have to affirm that they are responsible for maintaining compliance to PCI DSS standards for the term of the contract.
The protection of data is the goal of PCI DSS, but encryption can only take you so far. Your data is only protected if you are protecting the encryption keys in the required manner. There are many different industry standards, including NIST, PCI-PTS, SANS, which you can use to ensure you are safeguarding and managing encryption keys in the required manner. Expect the updated standard to tighten the rules around key management.
6) If you outsource e-commerce payment processing, you still need to do PCI.
Currently an e-commerce website that redirects a customer's computer to a third-party service provider for payment processing is not within scope of a PCI assessment. This is because the website itself does not store, process or transmit card data. But criminals still can compromise these sites and instruct the victim's computer to send payment data to them, as well as the third-party provider. As a result, 3.0 is expected to bring these sites into scope as well, meaning these e-commerce merchants will be required to implement security controls on all of their web servers.
7) Service providers must use unique access credentials for each customer.
Service providers that have access into their customer's cardholder data environment (CDE) traditionally have not applied and used unique credentials to support and access these environments. As a result, if a cybercriminal hacks a service provider, they can search the compromised website for known customers or scan blocks of the internet to look for similar remote access markers. Crooks want the biggest payoff for the least amount of effort. Expect version 3.0 to ensure service providers are using unique credentials for each customer they serve.
8) Penetration testing becomes even more important.
Pen testing provides assurance that networks are secure, in addition to the applications and the data contained within them. The next version of PCI DSS should greatly improve the quality of the pen testing that is required to be performed. As it stands now, the internal pen testing that is required does not need to follow an industry methodology, such as NIST, OWASP, etc., and the person carrying out the test is not required to be industry certified and have the correct level of independence. That will change. In addition, the cardholder data environment (CDE) will be required to be pen tested.
Michael Aminzade is director of compliance delivery - EMEA/APAC - at Trustwave.
