The Payment Card Industry Data Security Standard (PCI DSS), the industry security standard for credit and debit cards, has come under criticism for not preventing megabreaches that have plagued retailers over the last few years, such as Target, Home Depot, Kmart, T.J. Maxx, Marshalls, and most recently, Vera Bradley, to name just a few.
Many of these same retailers had passed a PCI DSS audit before the breaches occurred. Much of the criticism of the standard has focused on the concern that companies spend time and resources on passing the PCI DSS audit rather than on improving credit and debit card data security over the long term. After the audit, many companies let down their guard and fail to maintain their improved security posture.
To address gaps in the standard, the PCI Security Standards Council is overhauling the PCI DSS with its latest version.
The changes proposed in PCI DSS version 3.2 (v3.2) will become mandatory as of Feb. 1, 2018. Until then, they are considered “best practices” by the PCI Security Standards Council. The previous version, PCI DSS v3.1, was retired on Oct. 31, 2016, and all assessments after that date will need to use v3.2.
Companies that fail to meet the new requirements could face fines, increased fees, and even a prohibition on processing credit and debit cards.
Of particular interest to companies that handle credit card data, PCI DSS v3.2 includes a requirement that two or more credentials, known as multi-factor authentication, must be used to authorize administrators to access card data and systems. There are three types of factors involved in multi-factor authentication — something you know, such as a password; something you have, such as a token; and something you are, such biometrics. PCI DSS already requires multi-factor authentication for remote access to card data, but now it is being required for internal network access.
Troy Leach, chief technology officer at the PCI Security Standards Council, recommends that companies “review how they are currently managing authentication into their cardholder data environment, and review the current administrator roles and access to identify where changes to authentication may likely be impacted by the new requirement.”
Leach explained that PCI DSS v3.2 also incorporates “designated entities supplemental validation,” which is a set of criteria for companies to maintain strong credit and debit card payment security. These criteria include “effective compliance program oversight; proper scoping of an environment; and ensuring effective mechanisms are in place to detect and alert on failures in critical security controls.”
In addition, companies will be required to ensure that security controls are in place following any change in their cardholder data environment, and service providers will be required to conduct penetration testing on segmentation controls every six months. “The focus is on establishing ongoing security processes to prevent, detect and respond to attacks that can lead to data loss,” Leach said. He noted that the new standard will provide organizations with a chance to reevaluate their existing security procedures “and whether they should make adjustments prior to applying the new requirements.”
Continuous improvement standard
In a recent report on the PCI DSS v3.2 changes, market research firm Gartner noted that PCI DSS is “evolving from a standard that is updated every three years to one that is subject to continuous improvement, forcing complying organizations to implement PCI compliance controls and change management as part of business as usual, rather than as a special project.”
To handle this shift in the PCI DSS process, Gartner recommended that companies build a strong change management process and deploy network security policy management products to automate the change management processes.
Companies should centrally monitor alerts for critical security control systems so that they can respond to issues in a timely manner using tools such as network security policy management products.
For service providers, PCI DSS v3.2 requires them to comply with new requirements for detection and reporting practices, cryptographic architecture documentation, penetration testing, and executive responsibility for cardholder protection. Security personnel at service providers will need to use strong key management for encrypted cardholder data and best practices to handle critical security control system failures, Gartner stressed.
Overall, Gartner recommended “that instead of a goal-led approach to PCI DSS compliance, a systems-led approach is adopted, moving implementation of security controls away from a project-based approach into a day-to-day application, systems and security operations.”
Network security best practices
In a recent white paper, network security policy management vendor Tufin identified seven network security best practices to help companies meet the PCI DSS v3.2 requirements:
- Create a clear separation with proper network segmentation of PCI data and applications within the network
- Ensure that an enterprise-wide network change workflow process is in place that meets PCI DSS requirements
- Certify that every network change has a complete audit trail
- Validate every network change by analyzing the change for risks, getting approval by the business owner, and ensuring changes are implemented according to PCI-compatible network change workflow
- Check that firewalls protecting PCI zones work according to the following guidelines — every rule has a comment, every rule has a log, no rules with risky services, and delete unused rules
- Make certain that every firewall rule and cloud security group is documented properly with the business justification, business owner, and application name
- Arrange for firewall and cloud security group logs to be kept for at least a year.
“If IT managers and PCI internal auditors do it right, their work on PCI compliance can also be a springboard for their organization into continuous network security and more effective work processes,” the white paper observed.
The PCI Security Standards Council is hoping that beefing up authentication requirements for accessing cardholder data, making compliance an ongoing exercise, and strengthening mandates for service providers will prevent breaches in the future.
Whether these changes are enough to stem the flood of credit and debit card data breaches remains to be seen. More likely, the glut of stolen credit and debit card numbers on the black market will drive down their price and make them a less attractive target for cybercriminals.
Photo credit: Mike Mozart