PCI DSS Version 3.0: New Standard But Same Problems?


"Cardholder data has been a target for offenders. Deficiency of awareness and education around payment protection and poor execution and maintenance of this PCI Standards contributes to several of the safety breaches occurring now" PCI SSC'PCI DSS 3.0 Change Highlights' - August 2013
Card info theft remains occurring so the third revision of the PCI Data Security Standard is just as much a re-launch as a revamp.
Most organizations - Level 1 Merchants - have yet to fully implement all the requirements of the PCI DSS V2 or past variations of their conventional, so eyes might be rolling in a brand new variant of a standard that hasn't been mastered at its previous variants.
This brand new variant is much more about refinement and caution than any debut of new procedures or technology to help safeguard against card information theft, however while reductions via card fraud remains still on the rise, it's apparent that something needs to change.
How big is your issue?
Concerning the losses being experienced, it is possible to see why card manufacturers, banks and issuers could continue to be desperate for superior attention and care to be applied for their own card numbers. $11Billion was dropped annually and that sum is rising yearly. Bearing in mind the entire worth of card payment transactions currently surpasses $21 Trillion yearly, there's still lots of money being created in the supply of rapid guaranteed payment solutions. But any initiative which reduces which $11 Billion reduction is worthy of time and attention.
"Card issuer losses occur mostly in the point of purchase from fraudulent cards. Issuers keep the fraud reduction should they provide retailers authorization to take the payment. Merchant and acquirer losses occur mostly on card-not-present (CNP) transactions on the Internet, in a call centre, or via mail order"
PCI compliance is not only a card-brand issue that contributes to your business having to devote money and time on, but is a means to safeguard your business directly from severe risk. This is not merely a monetary risk either: additional aspects like brand protection and client trust will also be lost when a violation occurs.

PCI DSS Version 3.0 - Stick or Twist?

The newest version of the PCI DSS is not available until early next month this is an early show of what's an extensive re-working of this standard. The majority of the requirements are performed with a few improvements and tweaks that are covered later but there's also a level of refinement from the spotlight during the standard.
The general intention is that the standard intends to promote considering safety of cardholder data instead of just driving compliance with the standard.The Security Standards Council are, of course, enthusiastic that safety best practices are embraced and practiced as a matter of routine instead of simply as a'once-a-year, big-push-to-keep-an-auditor-happy' occasion - like anybody would do so? J
New objects will be regarded as"best practices" before June 2015, and they will get official requirements. What's more, any firm compliant with PCI DSS 2.0 will stay until January 2015 before embracing the new variant of the DSS.
What's Seen in PCI DSS V3?
What exactly are the particular modifications or new demands? You will find wording changes around to promote more regular concentrate on the PCI DSS needs, however there are a number of detail modifications and clarifying language which we are able to emphasize here.

Requirement 2: Vulnerability Management and Hardening

Requirement 2 has resisted the requirement to Wipe host, EPOS, and system device configurations, eliminating default configurations as a minimal, however inviting the adoption of a NIST or CIS hardening checklist. Detail changes for Version 3 create pass phrases suitable. Pass phrases create a fantastic choice for long, complicated passwords, being simpler to handle and keep in mind, but with equal security protection. Hardening, vulnerability management and configuration management is just one of those NNT'powerful hands', and much more detail can be found on our site.
Requirement 6: Build Secure Software
6.5.6 - Insecure Handling of PAN and SAD in Memory
Much like using Buffer Overflow Protection and SQL Injection Attack mitigation, this can be a charm for program designers to maintain their guard. This condition is aimed especially at protecting against memory scratching malware, and also to style in security features to ensure CHD and Safe Authentication Data is shielded.
The telephone would be to take a step back and think about using programmatic characteristics that prevent unauthorized programs from accessing memory (some development environments are much better than others with this). What occurs to CHD or SAD in a program crash?(Many attacks take the kind of disturbance to the program so as to make it'cough up' or ditch data). Where you can, can the program completely erase information when no longer needed?
Quite simply, this is partially an program development challenge (consequently becoming a Requirement 6 thing ) but also a malware security issue also. An attacker will require a Trojan or other Malware to scratch memory, so low level FIM may play a role in underwriting coded-protection. In conclusion, prepare for some harder questions from the QSA, so request your EPoS/eCommerce program suppliers or in house development group today that which they make of the requirement. Potentially this may also end up being a challenging need for a QSA to confirm.

6.5.11 - Broken Authentication and Session Management

The detail of the new requirement is apparently asking retailers to mitigate the threat involved in client-side takeovers: suppose that trusted customers could become attack vectors. Client-side strikes are among the most frequent ways hackers gain access to info as well as, hackers may go to the weakest link. The need also plans to place concentrate on man-in-the-middle fashion attacks too.
Lately there's also a proposal that retailers using re-directed services (such as Worldpay for example) may also should test their program session management functionality for vulnerabilities.
Mostly that is a program design problem (Requirement 6 prefix is a giveaway J ). It highlights that a common'vulnerability ' operational' equilibrium that's tolerated by programmers because execution could create user experiences that are jeopardized. By way of instance, it isn't likely to improve earnings from a retail website if, when a client leaves their shopping cart pre-checkout momentarily, they return to a"session timeout" message. OWASP knowledgebase is the go-to source for growth mitigation.
Requirement 8: Always Use Specific User IDs

8.5.1 - Specific Authentication Credentials for Service Providers

Conventional security best practices inside and out the PCI DSS are to constantly utilize unique access qualifications for EVERYTHING so that you understand who's the perpetrator if something untoward occurs. It is only normal, fantastic practice.
No matter how the demand for this to be highlighted as a necessity indicates that service providers require a reminder that this does apply to them also. Most service providers will be working securely however they still should take the exact same standard precautions and be certain they're utilizing unique credentials (rather than only'customername+administrator as a username either !)
Requirement 9: Physical Security
9.9 - Security of Point-of-Sale (POS) Devices in Tampering
According to cardholder data theft data, card skimming and much more elaborate variations thereof targeted on the POS gear continue to be prevalent.Here really is the ying to the yang of their formerly covered, highly specialized prerequisites, reminding Merchants that'low tech' crime still functions also.
Requirement 9 has ever been intended to communicate the concept of'do not let anybody touch some of those cardholder information processing equipment'. The Version 3 clarification here expressly highlights security of endpoints, resulting in the conclusion that Requirement 9 has been translated as -rightly - being oriented towards the'central website' data centre, however at the cost of focus on POS systems.
Requirement 11: Test Security

11.3 Create and Implement a Methodology for Penetration Testing

That is just another'new' condition that exists to highlight focus on a few of the normal practices which everybody already complies with, but perhaps does not do it and they may. A classic instance of fulfilling the correspondence, but perhaps not the soul, of the necessity.
It seems that the marketplace for Pen Testing is becoming highly commoditized with many sellers offering cost-engineered, highly-automated services.This inevitably has resulted in evaluations getting more shallow (much more'checkbox way of compliance') so this new demand is a'tug on the leash', forcing the retailer to prevent bad habits and corner-cutting.
That is something quite crucial into the NNT methodology anyhow, we urge that classic Safety Best Practices are worked, which then help minimize the'boom and bust' way of vulnerability management the PCI DSS sometimes engenders.
By way of instance, conducting yearly or quarterly scans, then needing to drop everything for a week so as to spot and re-configure apparatus before repeating the procedure 3 weeks afterwards not just makes life challenging, but might also leave you unsecure for weeks at a time. NNT functions on a constant basis to continuously monitor changes to apparatus and permit you to run more of a'trimming' procedure to vulnerability management. This strategy is much more successful, gentler on the hosts and network, and easier on your tools too!
Requirement 12: Maintain a Safety Policy

12.9 - Added Requirement for Service Providers on Data Security

And lastly, a clarification of Requirement 12 regarding Using Cloud or Managed Security Services. The purpose is to make sure that service suppliers correctly comprehend and operate their own PCI needs entirely. The DSS puts the onus on the retailer to guarantee they have a statement acknowledging this and, subsequently, Merchants ought to be indemnified of cardholder information security by their own service provider.


In short, while there are new demands, some of which might prove to be hard to execute and examine, nothing changes concerning intent.
Data safety needs to be a fulltime attention, requiring high levels of operational subject, together with checks and balances to guarantee safety has been preserved. The PCI DSS tries to communicate this, however, has constantly fallen prey to the requirement to educate, describe and mandate safety best practices. Data Security is not a simple matter to describe or outline, therefore the DSS has finished up using 650 sub-requirements the Merchant or Transaction Processor find complicated and ambiguous.
Technology helps, and also the opportunity exists to employ highly automated solutions into the majority of PCI requirements which are neither expensive, nor challenging, to execute and run.
Plus this brand new version of the DSS, with increased emphasis on making safety a normal habit, is squarely in accord with this. In Reality, you can simplify the Vast Majority of those PCI DSS down to the next measures:
Employ basic midsize and endpoint safety with Firewalls, IPS and Anti-Virus
Audit Servers, Databases and Network Devices from NIST or CIS hardening checklists to {eliminate|get rid of} vulnerabilities (utilize your FIM system with this)
Once devices are hardened, implement constant vulnerability tracking, with real time malware detection (in other words, real-time File Integrity Monitoring)
Instigate configuration switch control to make sure apparatus remain protected at all times (FIM again), patch all systems yearly
Underpin procedures with logging and SIEM as a checks and balances audit trail, together with routine pencil testing and ASV vulnerability scans

Take these measures, and you will not only be ahead of the curve for PCI DSS Version 3.0, however likely Version 4.0 too.