The PCI Security Standards Council released version 3.0 of the PCI Data Security Standard (PCI DSS) and corresponding Payment Application Data Security Standard (PA-DSS), adding new security requirements and guidance for payment-card industry organizations, including merchants, payment processors, financial institutions, and service providers.
The new version will go into effect on Jan. 1, but organizations will have until Dec. 31, 2014, to make the transition from PCI DSS 2.0. In addition, some of the new security requirements will have the status of best practices until June 30, 2015.
The effectiveness of the PCI DSS, whose primary goal is to help organizations secure cardholder data, is disputed in the security community. That’s partly because there have been many cases of merchants and payment processors that suffered significant cardholder data breaches despite having passed PCI DSS compliance assessments.
The PCI Security Standards Council recognized this problem and included a set of best practices in the new version of the standard that aims to make PCI DSS implementation part of business-as-usual activities and ensure that organizations involved in payment card processing remain compliant between annual assessments.
These practices include:
- the continuous monitoring of firewalls, intrusion detection systems, antivirus products and access controls to ensure they operate as intended;
- ensuring that security control failures are detected and remediated in a timely manner;
- reviewing how planned changes to the environment like the addition of new systems or modification of existing system and network configurations impact the scope of PCI DSS and updating the security controls as needed;
- reviewing how organizational changes like acquisitions or mergers impact the PCI DSS scope; reviewing at least once a year if used hardware and software technologies are still supported by their vendors and;
- implementing separation of duties for personnel in charge of security and those responsible for operations so that no single individual has control over an entire process without independent checks.
“Periodic reviews and communications should be performed to confirm that PCI DSS requirements continue to be in place and personnel are following secure processes,” the standard says. “These periodic reviews should cover all facilities and locations, including retail outlets, data centers, etc., and include reviewing system components (or samples of system components), to verify that PCI DSS requirements continue to be in place—for example, configuration standards have been applied, patches and AV are up to date, audit logs are being reviewed, and so on.”
While welcome, these recommendations don’t extend or replace existing PCI DSS requirements, so organizations are not actually required to follow them in order to achieve PCI DSS compliance.
This continuous monitoring and review of PCI DSS security controls as part of business-as-usual activities should be a requirement today, because that’s the only way to achieve good security, said Steve Hall, director of PCI solutions at security firm Tripwire. Hall believes that the presence of these best practices in PCI DSS 3.0 is laying the groundwork for requirements in future versions of the standard.
While PCI DSS 3.0 adds a number of new requirements, some of them that could help prevent common attack methods used today won’t go into effect until July 2015 and will be treated as “best practices” in the meantime.
For example, requirement 6.5.10 says that companies should examine their software development procedures to make sure that broken authentication and session management processes are addressed in their internal and external Web applications by flagging session cookies as “secure,” by not exposing session IDs in URLs, and by incorporating time-outs and rotation of session IDs after successful authentication.
These are already common security practices for websites and have been for a while, so it’s not clear why payment card organizations need a grace period of more than one year-and-a-half to implement them.
Another new requirement (8.5.1) says that service providers who have remote access to customer systems in order to provide technical support for point-of-sale systems or servers must use unique authentication credentials for each customer. This requirement will also go into effect in July 2015, despite the fact that there have already been many cases where PoS systems were compromised by attackers because their administrators used easy-to-guess passwords for remote access.
Outsourcing IT is a security risk
In an infographic accompanying the PCI DSS 3.0 release, the PCI Security Standards Council warned that many businesses outsource their IT operations and this can be a security risk. “Sixty-three percent of investigations identifying a security deficiency easily exploited by hackers revealed a third party responsible for system support, development, or maintenance,” the council said.
The new version of the standard adds guidance on outsourcing PCI DSS responsibilities and includes a requirement—12.9—that says a service provider must “acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.” This requirement also comes with a grace period until July 2015.
The same situation applies for requirement 9.9.x, which says that companies must protect devices that interact physically with payment cards, like point-of-sale systems, from tampering and substitution: Companies should “periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).”
There have been many cases in the past few years of attackers tampering with or completely replacing POS devices in stores and supermarkets to steal credit card data.
Another requirement that won’t go into effect until July 2015 has to do with penetration testing strategies, which are generally important for any organizations that want to identify potential weaknesses in their infrastructure.
This requirement, called 11.3, says that companies should implement a methodology for penetration testing that is based on industry-accepted approaches, covering the entire perimeter and critical systems of the cardholder data environment, including testing from both inside and outside the network covering both network-layer and application-layer vulnerabilities, and taking into consideration the threats and vulnerabilities that appeared in the past 12 months.
Hall said he understands that some merchants need time to put these processes in place. However, companies should be vigilant and start implementing these requirements now, despite the grace period, he said. “They should not give attackers time to become even more sophisticated.”
PCI DSS barely scratches the surface and is meant to provide a bare minimum of security controls, Hall said. PCI compliance should be used as leverage to obtain a larger security budget, but shouldn’t become a company’s sole security strategy, he said.
“There will obviously be some companies that will only do what’s required under PCI DSS, and I say, shame on them,” he said.
“Whatever your opinion, the new PCI DSS 3.0 appears to be moving from a security check box posture to a more holistic risk management approach,” said Bernard Zelmans, general manager for EMEA at security management firm FireMon, via email. “This will hopefully entail a more security centric approach to PCI compliance rather than the least common denominator approach of earlier versions of PCI.”
Michael Aminzade, director of delivery for EMEA & APAC at security firm Trustwave, believes that overall the council made some excellent improvements to PCI DSS, but that the standard is still lacking in some areas.
“PCI DSS 3.0 does not include any changes surrounding mobile security,” he said via email. “Merchants are struggling with how to protect mobile payment solutions and integrating mobile devices into their organizations. The Council released a best practices guide for mobile security more than a year ago, but it would be more beneficial to release additional guidance pertaining to mobile data security.”