Payment Card Industry (PCI) Data Security Standard (DSS) 3.0
October 7, 2014
The Payment Card Industry Data Security Standard (PCI DSS) was designed to reinforce cardholder data securityworldwide. Providing a baseline of technology and process control requirements designed to protectcardholder data, the PCI DSS applies to all entities involved in payment card processing (processors, acquirers,issuers, service providers, merchants etc). The PCI DSS is a set of requirements designed to ensure that creditcard information is maintained in a secure environment.
In 2012, the payment card industry experienced gross fraud losses of $11.27 billion, which was up 14.6% over theprevious year. Recent headlines surrounding payment card data losses and targeted security attacks have demanded further evolution of PCI standards and compliance. In the feature that follows, Robert Steadman, VP of Security and Compliance Consulting Services at Herjavec Group highlights the key changes in PCI DSS 3.0 linking compliance and environment agility to ensure your business' security.
PCI DSS 3.0
The next chapter in Payment Card Industry (PCI) compliance is upon us. In January of 2014 the PCI Data Security Standard 3.0 was released and organizations have until 2015 to align themselves with PCI 3.0 requirements. Only version 3.0 will be used for validations in 2015 and onwards therefore Herjavec Group strongly recommends embracing PCI DSS now, in order to address changes required to your business technology environment.
With 3.0, the essence of PCI DSS remains the same, but the standard aims to do three things:
- Address emerging and evolving threats to cardholder data security by clarifying existing requirements;
- Provide additional guidance on how to comply with the standard; and
- Introduce new requirements to bring the standard in line with those emerging threats and changes taking place in the retail cardholder environment.
The updated standards call for integrating card security into business-as-usual activities. A new section in PCI DSS 3.0 titled “Best Practices for Implementing PCI DSS into Business-as-Usual Processes” states:
“PCI DSS should be implemented into business-as-usual (BAU) activities as part of an entity’s overall security strategy.”
The business-as-usual integration section highlights the importance of proactive monitoring, timely response, managing changes, and periodic reviews to ensure PCI DSS’s requirements are made part of everyday business operations. There is also increased emphasis for validating that controls are implemented properly, with rigorous testing procedures.
Payment Card Industry (PCI) Data Security Standard (DSS) 3.0
Notable changes include but are not limited to:
- Increased requirements for managing third party suppliers
- Increased point-of-sale terminal security
- More flexibility and education around passwords
- More robust requirements for penetration testing and validating segmentation
- Enhanced testing procedures to clarify the level of validation
- Expanded software development lifecycle security requirements
The new standard has brought policy and procedural changes, including several new sub-requirements that did not exist previously. The following are the new requirements in PCI DSS 3.0 that the PCI SSC has made note of:
Requirements 8.5.1, 9.9, 11.3, 11.3.4, and 12.9 above, as well as web application-specific Requirement 6.5.10 (Broken authentication and session management) will be considered “best practices” to follow by the PCI SSC until July 1, 2015 when they will then be enforced.
Many of the changes in PCI DSS 3.0 impact web application security in some way, with security issues that are closely aligned with the OWASP Top 10 web application security risks. The changes in PCI DSS 3.0 are likely to result in significant additional effort for companies processing credit card payments. As the bar for segmentation is raised, point-to-point encryption and tokenization will become more valuable in scope reduction strategies.
Req. 5.1.2 Evaluate evolving malware threats for any systems not considered to be commonly affected
Req. 8.2.3 Combine minimum password complexity and strength requirements into one, and increase flexibility for alternatives
Req. 8.5.1 For service providers with remote access to customer premises, use unique authentication credentials for each customer
Req. 8.6 Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.) these must be linked to an individual account and ensure only the intended user can gain access
Req. 9.3 Control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination
Req. 9.9 Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution
Req. 11.3 and 11.3.4 Implement a methodology for penetration testing; if segmentation is used to isolate the cardholder data environment from other networks, perform penetration tests to verify that the segmentation methods are operational and effective
Req. 11.5.1 Implement a process to respond to any alerts generated by the change detection mechanism
Req. 12.8.5 Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity
Req. 12.9 For service providers, provide the written, agreement/acknowledgment to their customers as specified at requirement 12.8.2
If you have a strong information security program in place, you’re likely already addressing the new requirements. Herjavec Group is certified to assist with a variety of PCI related initiatives. Herjavec Group is a PCI Qualified Security Assessor (QSA) and Authorized Scanning Vendor (ASV), with practical experience in the provision of PCI DSS assessment services, as well as implementing and managing PCI remediation initiatives.
The following are the PCI Security Service offerings from Herjavec Group:
- QSA Report on Compliance (ROC) On-Site Audit
- Self-Assessment Questionnaire (SAQ) Preparation and Review
- PCI Cardholder Data Environment (CDE) Scoping
- PCI DSS Controls Gap Analysis
- Authorized Scanning Vendor (ASV) Quarterly External Network Scanning
- Remediation Assistance
We also assist organizations with the following internal requirements to meet and adhere to the PCI DSS:
- Internal Vulnerability Assessment (Quarterly) – identification of vulnerabilities and vulnerability management program
- Annual Penetration Test
- Annual Web Application Review (in the absence of a Web Application Firewall)
- Annual Internal Risk Assessment
Network segmentation solution to minimize PCI scope of assessment
To learn more about our PCI practice or if you have questions relating to your payment environment's security posture, please contact firstname.lastname@example.org.
Robert Steadman is the Vice-President of Security and Compliance Consulting Services with Herjavec Group. He brings over 27 years of experience in IT Risk Management and information security, specializing in enterprise information risk management engagement delivery and payment card industry compliance. Robert’s expertise includes governance risk and compliance (GRC), information security policy and strategic technical assessments. Prior to joining Herjavec Group, Robert earned extensive practical experience leading the security and compliance practices for leading Canadian financial institutions and grocery retail chains.
About Herjavec Group
Dynamic IT entrepreneur Robert Herjavec founded Herjavec Group in 2003, and it quickly became one of North America’s fastest-growing technology companies. Herjavec Group delivers managed security services globally supported by a state-of-the-art, PCI compliant Security Operations Centre (SOC), operated 24/7/365 by certified security professionals. This expertise is coupled with a leadership position across a wide range of functions including consulting, compliance, risk management & incident response. Herjavec Group has offices globally including three headquarters in Toronto (Canada), New York City (USA) and Reading (United Kingdom). For more information, visit www.herjavecgroup.com.
Download the white paper here.