In the final hours before a host of new Payment Card Industry Data Security Standard requirements take effect, PCI experts admit rigorous new planning and documentation activities will undoubtedly catch many merchants by surprise, but they hold out hope that it will spur more year-round compliance activity.
The Payment Card Industry Data Security Standard version 3.0 was officially released in November of last year, but most of the new requirements do not become mandatory until this Thursday, Jan. 1, 2015.
During the 14-month transition, merchants have had the option of assessing against the more detailed 3.0 standard or the legacy PCI DSS 2.0 standard. But once the ball drops on New Year's Eve, that transition period ends, meaning all PCI Qualified Security Assessors (QSA) will be required to assess merchants against PCI 3.0.
PCI DSS 3.0 emphasizes policies and procedures
Isabel Bardsley-Garcia, QSA and PCI practice lead for the security consulting group within Dallas-based AT&T Consulting Solutions, said organizations are often caught off-guard by the "huge growing pains" that come with transitioning to PCI 3.0.
Noting there are nearly 100 new sub-requirements in PCI 3.0, Bardsley-Garcia said the massive amount of change makes the transition from version 2.0 to 3.0 much more difficult than the transition from version 1.2.1 to 2.0 in 2010.
While changes affecting passwords, penetration testing and third-party service providers were among the most notable changes when PCI 3.0 was released, Bardsley-Garcia said the change that has had the most profound effect on AT&T clients is new mandates requiring documented security policies and procedures.
Both PCI DSS 3.0 and its predecessor require organizations to develop documented operational security policies and procedures that outline how DSS guidelines are implemented and enforced, but version 3.0 takes what was previously covered in a pair of curt sub-requirements (12.1.1 and 12.2 in version 2.0) and dramatically expands it, adding new policy and procedure requirements to each of the other 11 requirement sections.
Isabel Bardsley-GarciaQSA and PCI practice lead at AT&T Consulting Solutions
Those new sections are much more specific, Bardsley-Garcia said, and force merchants to draw up a policy and procedure for virtually every PCI 3.0 requirement, dramatically increasing the amount of preparation and paperwork for an organization before a QSA ever sets foot on site for an assessment.
"And not only do you have to have a documented policy and procedure," Bardsley-Garcia said, "but those who are responsible for those actions also need to actually know that the procedures and policies exist and be knowledgeable of them."
What seems reasonable in theory often surprises merchants digging into PCI 3.0 for the first time, she added, because it requires cooperation among a diverse set of IT and business groups to create, obtain or refine policies and procedures, as well as to identify individual stakeholders and ensure they understand what's required of them.
"There are so many times when a QSA comes in to conduct interviews, and the firewall administrator, for example, has no idea what's being asked of them, Bardsley-Garcia said, "because they haven't been versed in the PCI DSS."
System monitoring, pen testing prove challenging
Other areas of difficulty for organizations adjusting to PCI 3.0 include new rules around system monitoring, penetration testing and managing third-party compliance.
Greg Rosenberg, QSA and security engineer with Chicago-based compliance and security services firm Trustwave Inc., said managing third-party security is an ongoing challenge, though one with heightened importance: PCI 3.0 includes clarifications defining the role of third parties in their customers' PCI compliance efforts, specifically mandating password-security and two-factor authentication requirements.
Citing his company's 2014 State of Risk Report, Rosenberg said Trustwave found that while 58% of businesses use third parties to manage sensitive data, almost half (48%) do not have a third-party management program in place.
"You can outsource management of systems and data, but what a lot of people don't realize is you can't outsource the liability in the event of a breach," Rosenberg said. "That's a common misconception we hear over and over."
Similarly, Bardsley-Garcia said organizations transitioning to PCI 3.0 are grappling with the more rigorous penetration testing and vulnerability scanning requirements.
Requirement 11.3, a best practice until June of 2015, calls for a detailed penetration methodology; though Bardsley-Garcia said the change is long overdue, it's a lot of work for most organizations. Similarly, she said clarifications in requirement 11.2.3 calling for vulnerability scanning after any significant changes to the in-scope network are not only daunting, but also expensive.
"With pen testing, companies usually use a third party," Bardsley-Garcia said, "so to build in that time and money into a contract or amend an existing contract … it's hard."
Though of a more nuanced nature, a clarification in requirement 12.10.5 states that organizations must include alerts from security monitoring systems in their incident response plans. However, Bardsley-Garcia said many security teams still struggle to stay on top of security monitoring, which presents challenges in both responding to incidents and demonstrating how they meet the requirement.
"Most companies have robust security management systems and spend millions on tools, but don't take the time to refine the tool; when it makes too much noise, they turn it off," Bardsley-Garcia said. "They don't have the people decided to the technology to manage it. You can't always quantify a ROI on security, so it's hard for security managers to get one or two more people to devote to those systems and getting rid of false positives."
PCI 3.0 aims for better change-control management
Rosenberg said many of the above-mentioned changes in PCI 3.0 are intended in part to help merchants get a better handle on change-control management.
Many security industry observers believe better IT change-control processes are a key to preventing large-scale payment card data breaches like those at Target Corp., Home Depot Inc. and Staples Inc., all of which were caused at least in part by point-of-sale malware. The concept is that by limiting system-specific changes on point-of-sale systems using POS whitelisting and more broadly documenting and testing the security of any changed system within the cardholder data environment, organizations give attackers far fewer opportunities to plant malware.
"What the [PCI Security Standards] Council has tried to do with the new version of the standard is to make sure merchants ingrain PCI compliance with a lot of the changes that are often made in an environment," Rosenberg said. "The idea is to have IT staff ask the question, 'How will this change impact security, compliance and risk?'"
Unfortunately, Rosenberg said, so far many organizations transitioning to PCI 3.0 are struggling to put this conceptual change into practice because it requires a laborious validation on an ongoing basis.
"It's not so much that these new requirements aren't a fantastic change," Rosenberg said. "The problem is, you may be the person who is validating process changes today, but what's going to happen six months from now if you are no longer in the role or you don't have the resources to engage the other stakeholders in your organization? Then that process falls down."
He said that's why the best strategy for ensuring compliance with PCI DSS 3.0 is to adopt the SSC's "business as usual" mantra by integrating PCI compliance activities into year-round IT security management processes.
Bardsley-Garcia also advised an approach that emphasis continuous compliance. Though she admitted the new challenges in PCI 3.0 will likely mean fewer fully compliant merchants in the short term, she lauded the SSC for producing more tools and mechanisms to encourage year-round PCI compliance.
"Anecdotally, we're seeing an increase over the past year in terms of the number of organizations that do want to take that better, year-round approach," Rosenberg said, in many cases because corporate boards of directors were scared by this year's high-profile data breaches. "The more that we understand everyone has ownership of this issue, the more progress we'll make as an industry in making PCI compliance a continuous process."
Expert Mike Chapple helps prepare you for the Jan. 1 deadline with a look at the three major changes in PCI 3.0.
Learn about new guidance for achieving year-round PCI compliance.