Olivier Le Moal - Fotolia
The clock is ticking for enterprises that have not yet upgraded their payment card processing systems to be compliant with PCI DSS 3.0. Though the new version of the standard went into effect Jan. 1, 2014, merchants have the option to certify compliance under the old version throughout 2014. However, this option goes away in 2015 and all merchants must prove PCI DSS 3.0 compliance. Is your company ready for the change?
In this tip, we take a look at three of the major changes in PCI 3.0 and explain the steps needed to bring your organization into compliance on time.
Service provider management
As PCI DSS is a contractual obligation, rather than a law, the standard does not directly apply to entities that have not entered into credit card merchant agreements. However, most organizations rely upon outside services for some portion of their credit card processing. PCI DSS extends to these entities by considering them as service providers and requiring that merchants enter into written agreements with any service providers that store, process or transmit credit card information on their behalf. These written agreements must require that service providers comply with the provisions of PCI DSS.
The concept of service providers dates back to the earliest version of PCI DSS, and merchants have always been required to maintain lists of service providers, enter into written agreements with those providers, and monitor the ongoing compliance status of those providers. PCI DSS 3.0 introduces a new requirement for merchants dealing with service providers. With requirement 12.8.5, merchants maintain information about which PCI DSS requirements are the responsibility of the merchant and which are the responsibility of the service provider.
When updating the documentation to comply with this new requirement, lean heavily on the service providers. After all, they are fielding the same question from every client in their portfolios. Many service providers prepare detailed documents outlining the scope of their PCI DSS compliance and the responsibilities that remain in the hands of merchants. In some cases, these documents are prepared by PCI Qualified Security Assessors. Organizations can rely on these documents and maintain them as part of the compliance materials.
Rigor of penetration testing
Requirement 11.3 of PCI DSS has always mandated that an organization performs both internal and external penetration testing of its environments both annually and after any significant changes. In its 2014 PCI Compliance Report, Verizon singled out penetration testing as the least complied-with control across all of its customers, with less than 40% of merchants fulfilling the penetration testing requirements and properly documenting their controls.
The PCI consortium responded by increasing the rigor of the penetration testing requirements in PCI DSS 3.0. In addition to requiring the annual and post-change tests, the standard now requires companies to specify many details of the tests themselves. The tests -- which must be performed by a qualified independent tester and based on industry standard approaches -- cover the entire cardholder data environment, incorporate testing of segmentation controls and meet many other detailed specifications contained within requirement 11.3.
As an organization upgrades its penetration testing controls, it should first examine the entity performing the test. If an employee is administering the test, the organization will need to satisfy auditors that the employee is qualified to perform the test, and that the tester is organizationally independent from those responsible for implementing and maintaining security controls. Is the tester capable of meeting the many new requirements in section 11.3? If not, it might be better to retain a professional penetration testing firm to satisfy this requirement.
Physical security updates
PCI DSS 3.0 also changes the physical security requirements for cardholder data processing locations. The new requirement, 9.3, strengthens the degree of rigor around allowing onsite personnel access to sensitive areas. Organizations must now explicitly authorize access for individuals and that access must be required for the individual's job function. In addition, the organization must implement procedures to immediately revoke physical access upon termination. Organizations should review their current procedures in these areas and take steps to update them if necessary.
A more difficult physical security challenge comes in the form of requirement 9.9. This new requirement covers the physical security of payment card swipe terminals that are used in card-present transactions at the point of sale. The organization must maintain a complete list of those devices -- including serial numbers -- and conduct periodic inspections of the devices to ensure they have not been tampered with or swapped out. Personnel who work with the terminals must receive training designed to reduce the possibility of unauthorized tampering.
Organizations with a large number of swipe terminals may have more difficulty complying with requirement 9.9, particularly if the devices are geographically diverse. Organizations should take the time to plan inventory, training and inspection approaches to make sure they will be ready to comply with the standard next year.
Organizations concerned that all the work involved with complying with the PCI DSS 3.0 revision is simply too much to achieve before the end of 2014 can breathe a small sigh of relief: A set of the PCI DSS 3.0 controls have a deferred compliance deadline. These controls, which include the updated penetration testing requirements of section 11.3 and the terminal physical security requirements of section 9.9, are currently considered best practices and only become mandatory on July 1, 2015.
PCI DSS 3.0 presents organizations with new compliance responsibilities, but these are not insurmountable. Taking the time to perform a gap assessment now will ease the transition burden when the compliance deadlines arrive in 2015.
Expert Avivah Litan looks at the PCI DSS 3.0 changes organizations should expect in this video.