Anyone who has had the pleasure (or displeasure, depending on your perspective) of dealing with PCI (Payment Card Industry) compliancy is most likely aware that the next version of the PCI Data Security Standard (DSS) will be released in November. The PCI Council has begun the “socialization” process by issuing a press release that describes the upcoming changes at a high level.
We will continue to keep you abreast of these changes as the details pertaining to the new version of the standard trickle out over the next couple of months, with the draft version being released at the upcoming PCI Community Meetings and the final version being released in November. It is important to understand that the new version of the PCI DSS will not be effective until January 1, 2014, and that you will have the luxury of choice in 2014 (next year) to be assessed against either version (2.0 or 3.0) of the standard. This is not an excuse to put off preparation for the 3.0 version as it will be required for everyone starting in 2015. Many of the changes were long overdue, and I’ve been blogging about them for quite some time.
What to expect?
Recommendations on making PCI DSS business-as-usual and best practices for maintaining ongoing PCI DSS compliance: This should be a no-brainer but, over the years, I have seen dozens of companies do the “mad dash to the finish line to stand up what ultimately is a western façade.” While PCI assessments are a snapshot in time, your compliancy should be a bit more omnipresent. Make sure that whatever processes you implement, to achieve to meet and maintain compliance are ones that you can live with every day and not just something you’re doing to appease your QSA.
Security policy and operational procedures built into each requirement: I don’t know about you, but I am so happy to see this change. By the time you get to section 12 in the RoC, you’re thinking, “but… I’ve already written about this…” and frankly, at the end of the day, security and governance (and PCI compliance) is led by strong policies and procedures that trickle down to almost all requirements within the PCI DSS.
Security policy and operational procedures built into each requirement – more: This ALSO means that you will need to better understand the responsibilities of your service providers with whom you share cardholder data. This has always been a slippery slope in PCI world, to understand exactly where your lines of demarcation ought to be, and it is going to be even more critical in the future, especially with the exponential increase of nimble solution providers in the cloud and virtual space. Be prepared to ratchet up your Third Party Provider management/monitoring program.
Guidance for all requirements with content from Navigating PCI DSS Guide / Enhanced testing procedures to clarify the level of validation expected for each requirement: It was very helpful when the PCI Council released the RoC Reporting Instructions in 2011 as it gave QSAs, and assessed entities alike, the marching orders and level of detail expected in the RoC. The problem was that the RoC reporting instructions did not necessarily completely align with the Testing Requirements. I am hoping that there will be a good marriage between these two elements to improve consistency and to help clarify expectations.
Increased flexibility and education around password strength and complexity: Nice to see the flexibility added here. I’d rather put my money on the entropy of a long alphabetic password (such as “imgladidonthavetorememberthis”) than a 7-digit complex password, since technically speaking, a password cracking tool with enough computing power could defeat a shorter password in much less time. I’ve blogged about this in the past as well. Keep in mind that machines/applications that don’t have to type a password ought to use long pass phrases and that accounts with higher value ought to use stronger passwords than accounts with no or minimal privileges.
New requirements for point-of-sale terminal security: Most likely these changes are a result of the several merchant breaches (small/mid-sized grocery stores) from earlier this year. Undoubtedly it will include some details about physical security – and to make sure you have a process in place for chain of custody of your POS equipment and to inspect it for signs of tampering. This is not earth-shattering news. It can also include more detailed requirements to ensure that merchants are installing their POS systems in both a PCI complaint and a PA-DSS compliant manner (if PA-DSS is not applicable, then should be the spirit of PA-DSS).
More robust requirements for penetration testing and validating segmentation: I look forward to additional guidance here as I’ve seen many different pen testers with different approaches. Do you run an authenticated pen test? For internal pen testing, where do you “drop in” to perform the pen test? If there is HIPS in place, should you also perform a “shields down” pen test? PCICo has mentioned that network-based pen testing will include requirements to validate that segmentation (if implemented) is effective. This is something that we’ve been preaching for quite some time.
Considerations for cardholder data in memory: This aligns with the POS security fine-tuning – many merchants have taken great strides to remove stored cardholder data from their retail locations and they’ve been lulled into a false sense of security thinking that they are secure because the only place where cardholder data potentially exists is just in the memory of the POS systems. The clear and imminent threat to this is that the bad guys have created some pretty robust tools that can quickly and stealthily capture CHD in memory on POS systems and ultimately send that data to nefarious sites. The Schnuck’s breach earlier this year went to prove that even CHD in memory is not safe.
What to do next?
Discuss with your peers, your QSA, your consultants, your friends (OK, maybe not your friends, they probably will get swirlies in their eyes if you bring this stuff up). Figure out which areas you may need to bolster up. Which of these upcoming changes causes you the most concern? Undoubtedly there will be many discussions about these changes in the next few months and there will be additional press releases, webinars, and of course, the upcoming PCI Community Meeting (where I hope to see you!)