PCI QSA analysis: PCI DSS 3.0 to bring new PCI challenges, benefits
The Payment Card Industry Data Security Standard (PCI DSS) version 3.0 was officially released on Nov. 7, 2013.
As a Qualified Security Assessor (QSA) who has performed many PCI audits for merchants and service providers during the past six years, I have been reviewing PCI 3.0 and my analysis is positive. However, the PCI Security Standards Council (SSC) has missed some key opportunities to clarify the standard and address compliance as it relates to emerging technologies.
Generally, PCI 3.0 is an improvement over PCI 2.0, containing important clarifications and some new required controls but not fundamentally changing basic PCI requirements or how QSAs will assess them.
PCI 3.0 is based on the same 12 core requirements as PCI 2.0. Organizations that must comply with PCI DSS should plan to continue to document, implement and maintain the basic PCI requirements that they have been required to comply with for the past few years, including strong passwords, detailed logging, user access control and the like.
Organizations should expect a PCI 3.0 assessment to be similar to a PCI 2.0 assessment but more transparent and consistent. This is because, in general, PCI 3.0 provides better guidance to QSAs about what to assess and what evidence is needed to confirm that a control is in place.
Significant new requirements
While the structure of the standard and the assessment process won't be much different, there are several significant new PCI 3.0 requirements that organizations should be prepared to comply with.
Many organizations will need to develop and implement new POS security processes, and most QSAs will need to cultivate new on-site procedures to verify these processes are executed.
First of all, PCI 3.0 requires several new controls to protect point-of-sale (POS) devices from tampering and substitution. To meet these new requirements, many organizations will need to develop and implement new POS security processes, such as maintaining up-to-date inventories, performing periodic POS inspections and providing employee training about POS security. QSAs will expect all such processes to be thoroughly documented and regularly performed.
An important new PCI 3.0 requirement is that risk assessments must be performed annually and when any significant changes are made to a cardholder data environment (CDE). Currently, many organizations only perform an annual risk assessment of their CDE; there will likely be debates between organizations and QSAs about what constitutes a "significant change." This is a specific point that organizations should discuss with their QSAs prior to an on-site assessment.
Another substantial PCI 3.0 requirement states that organizations will need to evaluate evolving malware threats for any systems not considered to be commonly affected by malicious software. In other words, organizations must explain and justify why they don't have antimalware software running on non-Windows operating systems (e.g., Linux, Unix). This is critical as it will cause organizations to think carefully about evolving non-Windows threats. In turn, QSAs will be compelled to scrutinize antimalware controls on all platforms more carefully.
Additionally, PCI 3.0 mandates that service providers with remote access to CDEs must use a unique authentication credential for each customer environment -- a requirement that will undoubtedly enhance security. It is not unusual for QSAs to find service providers using a common authentication credential to manage multiple client environments. To prepare, service providers should start implementing new customer and password management processes, and merchants should obtain confirmation from their service providers that this control is being met. QSAs will need to carefully review related policies and procedures to determine how to best verify that service providers are complying with the control.
Another related change requires organizations to formally document which PCI DSS requirements are managed by each of their service providers and which are managed in-house. Furthermore, organizations must maintain a written agreement with their service providers verifying that the provider maintains all applicable PCI DSS requirements.
I think the above two controls are excellent additions. QSAs often find that organizations do not completely understand which PCI functions their service providers are responsible for, or make incorrect assumptions about those functions. These two new controls will result in good, healthy discussions between organizations and service providers about who is responsible for what. It will also help QSAs clearly understand who is responsible for particular controls within a CDE.
Finally, per PCI 3.0, penetration testing must validate that all segmentation technology and methods an organization uses to isolate its CDE from other networks are operational and effective. This excellent control will help ensure that a CDE is correctly defined and will be welcomed by QSAs.
Minor new requirements
In addition to the new major requirements, PCI 3.0 includes other controls that will also affect organizations' PCI DSS compliance, just not as drastically.
For instance, PCI 3.0 requires an organization to formally define its CDE beyond what was necessary with PCI 2.0, by having an up-to-date diagram that shows all payment card data flows across systems and maintaining an inventory of systems (including authorized wireless access points) that are in scope for PCI. Careful and thorough CDE definition is critical for a QSA, making this a great mandate. Fortunately, many organizations already have these controls as part of their current PCI compliance programs.
Another new PCI 3.0 requirement, which is likely to impact larger organizations more than smaller ones, is that access needs and privileges for all roles allowed access to CDE systems must be formally defined and documented. This will likely mean additional planning and pre-assessment preparation work for larger organizations.
Areas that need clarification, inclusion
In general, PCI 3.0 provides distinct guidance, but it does contain some important language that needs clarification.
First, PCI 3.0 requires organizations to implement a process to investigate and respond to all alerts generated by their file change-detection system. File change-detection software can generate many alerts each day -- some significant, some not. There is likely to be debate among QSAs and organizations about how organizations must respond to such alerts and how to document the response.
PCI DSS 3.0
Highlights from SearchSecurity's special report on the debut of PCI DSS 3.0:
PCI DSS 3.0 is a step forward, says one QSA, but there are uncertainties that may cause problems during PCI assessments.
Compliance expert Mike Chapple reviews PCI's successes and failures in its nine-year history.
SearchSecurity's exclusive Visual timeline: This history of PCI DSS examines the key events in the history of PCI DSS, from Y2K to PCI DSS 3.0.
Also, PCI 3.0 includes a requirement that, in addition to required daily review of the logs from critical CDE systems and all systems that could impact the security of payment card data, organizations may review logs of all other systems periodically based on the organization's risk assessment. It is not clear what falls into the "all other systems" category, and there is likely to be debate among QSAs and organizations about how often these logs should be reviewed.
Additionally, like many other QSAs, I was hoping to see some language in PCI 3.0 regarding emerging technologies, such as the cloud and mobile payments. Without such guidance, QSAs will continue making judgments about such technologies based on information supplements, PCI Security Standards Council (PCI SSC) frequently asked questions (FAQs) and, hopefully, upcoming additional guidance. Unfortunately, PCI 3.0 also has no new language regarding virtualization, which could have been greatly beneficial.
PCI DSS 3.0 is an important improvement on the existing standard, but it does not significantly change what organizations must do to comply with PCI, nor how QSAs will conduct PCI assessments.
In 2014, organizations will be able to choose to assess themselves against either PCI 2.0 or PCI 3.0, with all organizations transitioning to 3.0 by the beginning of 2015.
About the author:
Steven Weil, CISSP, CISA, CISM, CRISC, QSA, is a senior security auditor at Coalfire Systems. He has 17 years of experience in information security design, implementation and assessment. He has performed PCI audits and provided PCI advisory services to a wide variety of merchants and service providers.
Editor's note: The views and opinions expressed in this article are those of the author and do not necessarily reflect the opinions or practices of the author's employer.
31 Oct 2013
Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.