As technology continues to advance, it's critical for the security community to respond to the evolving risk for consumer data.
On Tuesday, January 14, I had the opportunity to once again sit the PCI Dream Team’s eighth online session. During this session, we responded to questions from our participants which covered a broad range of concerns.
We recorded the session, and I invite you to join the conversation and learn alongside us. Please click the image below to access the recording.
I wanted to highlight 4 questions from the session that I really resonated with me to give you a sense of what you will hear discussed:
- What is PCI DSS v4 and what is going on with it?
Ben Rothke provided some insight into PCI DSS v4 are part of his introduction to the session. Ben reminded us that all the individuals (and organizations) that received the new version are under a non-disclosure agreement (NDA) and are not allowed to discuss v4 until released by the Council. As a result, while we would love to talk about it, we cannot at this time.
- Can CVV2/CVC2/CID2 be kept in a system’s memory and if so, are their PCI compliance implications?
Art (Coop) Cooper started the discussion reminding people of the first PCI Community Meeting and explained that pre-authorization data is still required to be protected the same as post-authorization data. The change between those two states is what is allowed to be permanently stored. Art went on to clarify that card validation code can be stored in memory while processing, but that it has to be secured.
David Mundhenk added that people should review the requirements in the PA-DSS standard in regards to how to protect data in memory and then how to securely delete it once the transaction has been processed.
I had written a post on the subject almost two years ago regarding pre-authorization data.
- Are natural language processing (NLP) solutions used by voice over IP (VoIP) in scope for PCI compliance even though that technology is not discussed in the information supplement published last year?
I took this one as I worked on the VoIP information supplement last year. NLP solutions are in scope for PCI compliance if they directly or indirectly come into contact with sensitive authentication data (SAD) or cardholder data (CHD). That would particularly be the case for call center environments where card payments are taken.
Just because a specific technology is not explicitly called out in the PCI DSS or any other PCI standard, does not mean it is out of scope for PCI compliance due to omission. You must follow the sensitive authentication data (SAD) and cardholder data (CHD) flows to determine PCI scope. If any device or technology directly connects to those flows, they are by definition in-scope for PCI compliance. No exceptions.
Coop reminded people that even when solutions are “connected to” any system in the cardholder data environment (CDE), all of those connected to systems are also in-scope for the PCI assessment and are required to be PCI compliant.
- When using a P2PE validated solution, is the LAN and devices between the point of interaction (POI) and the payment processor in-scope for PCI compliance?
Coop took this one as he was involved in the development and training for the P2PE program. LAN and devices connected to the LAN between the POI and the payment processor are not in scope. That is the whole point of the P2PE solution is to reduce scope for the merchant to the POI.
But Coop reminded everyone that while scope gets radically reduced, the requirements in 9.9 regarding the security and safety of the POI become very important because that device is where attackers will focus and it is imperative that merchants properly manage, inspect and control those devices.
It is always a great time to get together with my colleagues and do these sessions. If you have any questions that were not able to be answered at this session, or about PCI in general, it would be my pleasure to hear from you.
Our next PCI Dream Team session is a live session at the Secure360 conference in May, 2020 at Mystic Lake Casino near the Twin Cities of Minnesota. We look forward to meeting all of you that can attend that live session. Our previous live session at the (ISC)2 Conference last fall was a good time with a lot of great questions from the participants.
-Jeff Hall is a Senior Consultant with Online Business Systems’ Cybersecurity practice.
Topics: NETWORKSECURITY PCI CYBERSECURITY INFORMATION SECURITY COMPLIANCE PCIDSS4.0 PCI COMMUNITY NETWORKSECURITY PCI CYBERSECURITY INFORMATION SECURITY COMPLIANCE PCIDSS4.0 PCI COMMUNITY PAYMENT CARD INDUSTRY CARDHOLDER DATA SENSITIVE AUTHENTICATION DATA CHD SAD