Overview of the main changes between v1.2.1 and v2.0 of the PCI DSS

Prior to its release, the latest version of PCI DSS has sparked debate as to whether there would be significant changes to the standard.

PCI DSS v2.0 was officially released in October 2010 and demonstrated that changes had been made mainly for clarity to maintain the quality of assessments. There have been numerous changes, many of which seek to be more specific around test procedures that are required. The other main changes to the standard are highlighted below:
  • Scoping;
  • Inclusion of Virtualisation;
  • Storage;
  • Time Synchronisation;
  • Scanning;
  • Wireless and IDS/IPS;
  • Evolving Requirements: Applications.

Each of these areas will be broken down below to cover the high level salient changes that have occurred to the PCI DSS.

Scoping
As with any PCI DSS assessment, it is important that proper scoping is conducted. Changes have been made to ensure that the scope has been clearly defined with emphasis on the following points:

  1. Requirement to identify all locations of cardholder data flow;
  2. Explicit requirement for merchants / service providers to identify and explicitly define all of the locations and flows of cardholder data annually before they begin their assessment;
  3. Documentation must be presented that shows how the PCI DSS scope was confirmed and the scoping results so that the assessor can review and accept as evidence if appropriate;
  4. Consider all areas of stored electronic and physical media containing cardholder data. This should include (but not be limited to) databases, mail orders, faxes, call recordings, emails, temporary files and log files;
  5. “System components” also include any virtualisation components.

Main impact:
  • Organisations may need to be more proactive and spend more time understanding where cardholder data is processed, stored or transmitted;
  • Expect the QSA to spend more time verifying the scope, specifically the data flows and storage locations;
  • Expect to be asked to present evidence of how the controls are adequate to segment the scope, and prove that testing has been conducted outside of this scope to ensure that there is no additional pollution.

Virtualisation
Virtualisation is now officially recognised and therefore all virtualised system components should be reviewed to determine whether they are in scope for PCI DSS. If they are in scope, then the PCI DSS controls will apply depending on the context of the components. For example:
  1. Virtualised servers would require all PCI DSS requirements applicable for servers;
  2. Virtualised firewalls and routers would require all PCI DSS requirements applicable for firewalls and routers;
  3. Virtualised system components would require all PCI DSS requirements applicable for that particular type of system component.
Main impact:
  • Including virtualised system components within the scope should not come as a surprise. If virtualisation technologies have not been included in the scope before, then your QSA may spend time reviewing the setup and corresponding documentation for that component;
  • Sysnet have always applied the requirements in this manner, so there should be minimal uplift to any customers engaged with our QSA’s.
Storage
Emphasis has been made to prevent access to both truncated and hashed versions of the PAN as well as the PAN itself. With special tools, it takes a trivial amount of time and effort to use these two elements to generate a PAN.

Review the following:

  1. Implementation of controls to ensure that the hashed and truncated values cannot be correlated to reconstruct the original PAN;
  2. Whether you need to keep both truncated and hashed versions –if you don’t need it, don’t store it.

Main impact:

  • Adding additional controls may provide additional expenses;
  • It may prove difficult to add additional controls depending on your implementation;
  • Storage of both versions may be by design currently, and making this change may prove difficult. Further work would need to be conducted to understand the risk and impact around any change.

Time Synchronisation
It is important to ensure that your clocks are accurate, in order to aid any forensic work. To support this, there must be clear and documented processes for distributing time through your cardholder data environment.

Previously there has been a bias towards using NTP. In the new standard references to any particular technology is removed.

Whatever time synchronisation you decide to use, make sure you use approved sources and have the distribution of time documented appropriately.

Main impact:

  • Flexibility to use other time synchronisation technologies that may be more suitable for your environment;

Scanning
This is a very important area to consider. PCI DSS requirement 11.2 is now split into further subtests to explicitly conduct internal (11.2.1) and external (11.2.2) test procedures for vulnerability scanning. Why? In many cases organisations may rely on external vendors to conduct external testing. This change may indicate that organisations fall into trouble when required to demonstrate internal testing.

Don’t neglect internal scanning. Remember to:
  • Conduct internal testing at least on a quarterly basis;
  • Conduct internal rescans until there is a passing scan;
  • Document scanning procedures and provide document evidence of the outcome of both internal and external scans.

Main impact:
  • For those who have not conducted internal testing you should start this process as soon as possible. Failure to demonstrate the required internal testing evidence could jeopardise your next PCI compliance review.

Wireless and IDS & IPS
Organisation should not neglect the fact that rogue wireless devices are easy to implement and therefore post a significant threat. A few changes have been made:
  • PCI DSS requirement 2.1.1 is split into further test procedures, but something is missing? There is no reference to WPA (or in fact any wireless technology);
  • PCI DSS requirement 11.1 includes “physical/logical inspections of system components and infrastructure”;
  • PCI DSS v2.0 mandates that IDS/IPS may be configured to monitor the perimeter and all critical points within the cardholder data environment.

Main impact:
  • Organisations will need to give consideration to moving to WPA2 some serious thought. Or they will need to bolster the current wireless implementations with enterprise level security rather than just using Pre-Shared Keys (PSK). A better position may be to, ask yourself “Is sending cardholder data over wireless the best way”. Again, if you don’t need it then don’t use it;
  • Physical/logical inspections of system components provides greater flexibility to meet the test procedures, especially for small organisations with few resources, who currently may not be knowledgeable in using specialist wireless scanning and IDS/IPS software;
  • Wireless IDS/IPS systems at critical points in the CDE, may mean less system management overheads and potentially less false positives.

Evolving Requirements
Two extra requirements that PCI DSS v2.0 has included to spice things up will keep those involved with software development and patching busy:
  • PCI DSS requirement 6.2 not only requires the ability to identify security vulnerabilities, but also to assign a risk ranking;
  • PCI DSS 6.5 has been refined as a reminder that the requirements apply to all software and not just web applications. Furthermore, 6.5.6 requires addressing of “High” risk vulnerabilities, which have been identified using the new risk ranking processes in PCI DSS requirement 6.2.
Main impact:
  • Organisations must start developing risk ranking processes at their earliest opportunity;
  • This risk ranking could also work in your favour. The standard risk ranking provided by the vendors may not be appropriate within your environment. This may allow additional time for testing and scheduled rollout rather than reactionary installation;
  • Organisations will be required to spend time demonstrating proper secure software development lifecycle for all internally-developed applications within scope for PCI DSS.

How will v2.0 impact on organisations seeking to attain/retain PCI DSS compliance?
To the relief for most organisations, PCI DSS will have minimal impact. The changes made have been for clarity of the test procedures and in recognition of advancing technology and threats. The main points are:
  • Organisations should properly scope where their cardholder data is. It is difficult to secure the data if it is not known where it is;
  • Expect your QSA to spend more time verifying the scope, reviewing the current technologies (which may now be considered not fit for purpose) and gathering evidence.

Will there be future updates to the PCI DSS?
The PCI DSS now uses a three-year life cycle and the next standard should be released around October 2013. The following diagram is taken from the official Lifecycle for Changes to PCI DSS and PA-DSS demonstrating the phases of the three year cycle.

Based on PCI DSS v2.0, it is envisaged that the new version will:
  • Have further improvements in scoping;
  • Clarifying assessment procedures;
  • Include considerations for advances in technology as well as threats;
  • Other areas as we do not yet know what the future holds.

Final reminder to organisations
It is imperative that organisations focus on their business processes and not just the technology. All organisations must understand they are obliged to protect customers cardholder data –PCI DSS applies all year and it is not just for the assessment.

As advances are made to technology, standards and regulations, organisations must not stand still. All organisations should consider undergoing QSA lead “health-checks” throughout the year to accommodate and review the impact of the change, in order to assist them with remaining PCI DSS compliant.

For further information on our PCI compliance services, please contact one of our Sales representatives by calling +353 (0)1 495 1300 or by completing our Online Enquiry Form or Request a Call Back Form.

PCI DSS Overview

The Payment Card Industry Standard (PCI DSS) is a compliance standard that governs the processing, storage or transmission of cardholder data. PCI DSS applies to any organisation which processes, stores or transmits cardholder data. Organisations can be classified as a merchant or service provider. An important point to note is that the standard is not just an IT compliance standard it effects all areas of an organisation.

PCI DSS Background
The PCI DSS was founded in December 2004 by 5 major card brands – Visa, MasterCard, American Express, Discover and JCB. The ongoing maintenance and updates to the standard are performed by the Payment Security Standards Council (PCI SSC), an independent organisation, joint funded by all the participating card brands and participating organisations. The PCI DSS is now on its 4th major release which is now at v2.0.

It is important to note that compliance is not a legal requirement but it is driven by the contractual agreements between merchants and acquiring banks that cannot be ignored.

PCI DSS Requirements
The PCI DSS are broken down into 6 domains that have various sections and associated requirements within each section which are as follows:

  • Build and Maintain a Secure Network

    1. Install and maintain a firewall configuration to protect cardholder data

    2. Do not use vendor-supplied defaults for system passwords and other security parameters

  • Protect Cardholder Data

    3. Protect stored cardholder data

    4. Encrypt transmission of cardholder data across open, public networks

  • Maintain a Vulnerability Management Program

    5. Use and regularly update anti-virus software on all systems commonly affected by malware
    6. Develop and maintain secure systems and applications

  • Implement Strong Access Control Measures

    7. Restrict access to cardholder data by business need-to-know

    8. Assign a unique ID to each person with computer access

    9. Restrict physical access to cardholder data

  • Regularly Monitor and Test Networks

    10. Track and monitor all access to network resources and cardholder data

    11. Regularly test security systems and processes

  • Maintain an Information Security Policy

    12. Maintain a policy that addresses information security

Why should an organisation comply with the PCI DSS?
There are a number of benefits of attaining PCI DSS compliance;

  • Provides your customers with assurance that card transactions will be handled securely by your organisation

  • Level 1 service providers who achieve PCI DSS compliance can ask to be added to the Visa and

  • MasterCard lists of approved service providers

  • Avoidance of financial penalties which are divided into two areas:
    1. Non–Compliance Costs

    2. Data Breach Costs Can include:

      o Fines levied by your acquirer for the cardholder data breach

      o Elevation to a level 1 merchant, increasing your ongoing compliance costs

      o The need to have an onsite QSA assessment which will add significant overhead to the demonstration of compliance

      o Consultancy costs for forensic assessments & remediation advice

      o Potential liability for consequential losses due to the card data breach

      o The fines which may be levied for non-compliance are potentially unlimited

Common Misconceptions
The following are common misconceptions in relation to PCI DSS compliance;

  • You can’t fully outsource all your PCI DSS accountability although you can outsource most of the responsibility for the provision of services; remember some areas of the standard will ALWAYS remain in scope.

  • Using a PA DSS compliant application – or a PCI PTS compliant PED does not automatically make your company PCI DSS compliant

  • A PCI DSS assessment/ SAQ completion is just a snap-shot. Compliance with PCI DSS must be maintained at all times, and evidence of this needs to be available

  • PCI DSS is NOT an IT compliance standard, it affects all facets of an organisation

For further information on our PCI compliance services, please contact one of our Sales representatives by calling +353 (0)1 495 1300 or by completing our Online Enquiry Form or Request a Call Back Form.

Sysnet Global Solutions attains Approved Payment Forensics Investigator (PFI) status

Sysnet Global Solutions, a leading worldwide provider of information security and assurance services, today announced that they have attained the status of approved Payment Forensics Investigator (PFI), confirmed by the PCI Security Standards Council (PCI-SSC). Sysnet are now listed on the PCI-SCC website as approved PCI Forensic Investigators;
www.pcisecuritystandards.org/approved_companies_providers/pfi_companies.php

The PCI Security Standards Council’s PFI program establishes and maintains the rules and requirements regarding eligibility, selection and performance of companies that provide forensic investigation services to ensure they meet PCI Security Standards. The PFI program aims to help simplify and expedite procedures for approving and engaging forensic investigators. The PFI list will replace the previous ‘QFI’ list as of March 1, 2011. After March 1, the card brands will only accept forensic reports from companies that are on the PFI list.

With the growing threat of credit card fraud across the globe and more aggressive tactics shown by organised criminal groups, if an Account Data Compromise (ADC) does occur and an investigation is required, Sysnet are well equipped to minimise the potential loss and ensure that the affected organisation is back to trading in a safe, compliant manner as soon as possible.

“This achievement is the result of the cumulative effort of a number of people at Sysnet and we are delighted that we are now on the PFI list” said Nick Prescot, Senior Consultant of the Data Forensics team at Sysnet Global Solutions “Whilst we wish that no organisation suffers a data compromise, we can now demonstrate that the Sysnet approach to quality, dedication and thoroughness will ensure that, should the worst happen, the end result will be an organisation that is not only above and beyond the requirements of today’s compliance but also well prepared for the future.”

In preparing and rehearsing against potential account data compromises, Sysnet Global Solutions offer incident management workshops, intelligence briefings on the latest trends, briefings on best practice in securing personal data, guidance on how to deal with the legal aspects of an investigation and insurance services that enable organisations to be best prepared in the event of a data compromise.

“This is a very important achievement for Sysnet” said Gabriel Moynagh, General Manager at Sysnet Global Solutions “Our PFI status compliments the extensive range of products and services we currently provide and further increases our ability to assist our clients in protecting vital business information assets.”

For further information on our PFI Consultancy Services, please contact one of our Sales representatives by calling +353 (0)1 495 1300 or by completing our Online Enquiry Form or Request a Call Back Form.
Subscribe to: Posts (Atom)