PCI DSS 3.0 comes into effect
Maintaining credit and debit card information on behalf of financial services organisations demands the highest levels of security and customer confidence, and adhering to standards like PCI DSS plays a crucial role in this. Yet, though the standard is unique in that it regulates data protection across a multitude of industries, PCI DSS remains one of the most challenging regulations with which companies must comply. Its Janus-faced qualities – some say it’s too prescriptive, while others complain that the standards are confusingly vague – make achieving and managing compliance difficult and time-consuming, writes Paul Ayers.
Since its inception in 2001, the standard has posed a number of challenges to risk managers, Information Security personnel, and IT operations professionals alike. Not only must companies achieve and maintain compliance with the numerous stipulations of PCI DSS, but they must also do so across geographically distributed networks and across both structured and unstructured data sets. Unsurprisingly, protecting such varied assets – which may include databases, file server files, documents, images, voice recordings, access logs and so on – in a dynamic threat environment and in a manner that is compliant can prove challenging. Of course, the increase in use of cloud computing and big data technologies – which players in the financial sector have adopted with enthusiasm – have created additional, but not insurmountable, challenges to achieving compliance with the mandate. It’s worthwhile to note that in the face of such a rapidly changing technology, the use of point solutions to patch holes in data security compliance requirements has become both expensive and difficult to support from a management standpoint.
Now, with 2015 upon us, and the deadline for PCI DSS 3.0 compliance passed, retailers, payment processors and financial institutions are feeling the strain with regards to understanding what steps to take. PCI DSS 3.0 actually took effect in January 2014, but organisations were able to postpone implementing the standard until 1 January 2015. In this time, implicated businesses should have established and implemented the security controls and procedures required to meet the new standard. Reflective of today’s heightened threat environment, where businesses and lawmakers alike must respond to more and more internal and external hazards, it should come as little surprise to many that this version of the standard has some 408 requirements – that’s 27 percent more rules than version 2. Interestingly, revisions to this version have reinforced the criticality of robust encryption and key management.
Section 3.5.2, for example, calls on businesses to store secret and private keys used to encrypt/decrypt cardholder data separately and/or within a secure cryptographic device. Furthermore, the PCI Council also elaborated on the principles of split knowledge and dual control, helping underscore the criticality of implementing controls so that no single administrator has privileged access to both keys and encrypted data. Here requirement 7 is important to note as sections 7.1 and 7.2 state that only users and resources that must access cardholder data in order to complete their job should have access to systems containing cardholder data. Also, audit trails must be present for access to networks and cardholder data by system components, administrators and users under the caveats of requirement 10, which remain unchanged from version 2 of the mandate.
There are also a couple of key focus points that will directly affect the specific activity of Cloud Service Providers (CSPs). One of these important focus points is the requirement for written agreement (or acknowledgement) by the CSP to their customers of their explicit responsibilities for supporting the standard. In PCI DSS 2.0 there were already requirements for service providers, but this change will require that they develop specific, contract level documentation of their commitments. Other points of interest include more explicit definitions around the shared responsibility of service providers who provide PCI DSS compliant environments and services to customers and specific enhancements around penetration testing, education and awareness. as well as specific clarifications around use of encryption and cryptographic keys.
Looking ahead to the coming year, there can be little doubt that the financial sector will remain a key target for cyber-criminals – pummeled by both nation state hackers trying to harm enemies’ core financial structure and criminals out to steal money. And, with regulators around the world increasingly involved in enhancing existing data security compliance requirements and defining new data security regulations, the time has come to put protections in place around that data itself.
In the past, organisations only encrypted for protection what they were forced to protect by compliance requirements, or when they were in an industry where secrets were important. However, the new stipulations outlined above show why PCI DSS is no longer a simple ‘check box’ compliance activity – it has evolved considerably past the point where once a year a business made sure they were adhering to its stipulations. In this brave, new world where the tempo of data breach incidents perpetrated by hackers shows no sign of slowing and the risk to data can also come from a trusted insider, any business handling payment data and sensitive, personally identifiable data needs to put encryption, granular access control controls and data access monitoring in place. This combination reduces the attack surface available by limiting who, what, when, where and how data can be accessed, and then keeps an eye on those with a need-to-know by monitoring their data access patterns for behaviour that may indicate an attack in progress.