Payment Card Industry Data Security Standards (PCI DSS) guidelines- Often seen as just another mandatory list to be check marked, PCI 3.0 is here to make that change. A significant step has been taken by the PCI Security Standards Council (PCI SSC) to make security and compliance an integral part of one’s organization and business. PCI SSC had released version 3.0 of PCI 3.0 and Payment Application Data Security Standard (PA DSS), which marked the start of the latest, three-year compliance cycle for everyone dealing with card data-vendors as well as payment processors.
About PCI 3.0
PCI DSS was formed with the intention of providing an extra layer of protection for the card holder’s data. The motive was to ensure that the merchants dealing in customer card data in any form- whether storing, processing or transmitting it, followed some minimum level of security. On 15th December 2004, the first version of PCI DSS, 1.0, was released.
In this blog, we will be discussing the latest version of PCI DSS 3.0, which was released in November 2013, had a transition period of one year and is now active from January 2015, with some exceptions.
With the new version, PCI compliance has become much more rigorous. In all, there are almost 100 total changes and out of these only 20 regulations are brand new. These numerous and significant changes make the transition from PCI 2.0 to 3.0, much more difficult and complicated than the one from 1.2.1 to 2.0 was.
We bring to you the major changes that will affect merchants and payment processors dealing with card data:
Also, the penetration testing (internal and external) should now follow an “industry-accepted penetration testing methodology,” for example- the specifically referenced NIST SP 800-115, Technical Guide to Information Security Testing and Assessment.
Therefore merchants must be extra careful about the security vendor they chose for penetration testing as this requires specialists who understand the rapid changes that come in the security industry constantly and are adept to handle them with finesse.
Summary of PCI 3.0
Apart from these, we are sharing with you the summary* of the significant ‘evolving requirements’ that have to be implemented to comply with PCI 3.0:
a) 6.5.10: For coding practices to protect against broken authentication and session management.
b) 6.6: It mandates that it is no longer enough to just put a WAF or Source code review. Putting WAF in detect mode is no longer enough to meet the PCI criteria. It is important to ensure that all identified issues are fixed and again tested for, to confirm that they are fixed.
c) 8.2.3: Combined minimum password complexity and strength requirements into a single requirement and increased flexibility for alternatives that meet the equivalent complexity and strength.
d) 8.5.1: For service providers with remote access to customer premises, to use unique authentication credentials for each customer.
e) 8.6: Other authentication mechanisms are used (for e.g., physical or logical security tokens, smart cards, certificates, etc.) that the mechanisms must be linked to an individual account and ensure only the intended user can gain access with that mechanism.
f) 11.5.1: Implement a process to respond to any alerts generated by the change-detection mechanism.
g) 12.2: Moved from an annual risk assessment process and clarified that the risk assessment should be performed at least annually and after significant changes to the environment.
h) 12.8.5: Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.
i) 12.9: Service providers to provide the written agreement/acknowledgment to their customers as specified at requirement 12.8 ( which states- Clarified intent to implement and maintain policies and procedures to manage service providers with which cardholder data is shared or that could affect the security of cardholder data.
As per Avivah Litan, VP and distinguished analyst with Gartner, PCI DSS 3.0 is about 27% larger than its predecessor, meaning enterprises will be forced to implement more security controls.
These security controls have raised the bar against penetration testing and vulnerability assessment, and without a doubt, the challenges of specifically meeting Requirement 11 is huge. But with a carefully chosen vendor, these changes can be easily adhered to, and they will greatly enhance the security of your data. With 2014 turning out to be the year of breaches, security should be your prime concern for 2015, and PCI 3.0, no matter how complex, will only help you in getting there.
*Source: Summary of changes from PCI DSS version 2.0 to 3.0
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. He was instrumental in building the product/service and technology team from scratch and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. He has proven experience (10+ years) in the security industry and has held various mgmt/leadership roles in Product Development, Professional Services, and Sales during his time at Entrust Data card.