The anticipated changes to the payment card industry data security standard
(PCI DSS) was published today.
Overall there is better clarification of the 12 steps of the standard as well as to remain current with attack vectors and to address the need for physical security of payment terminals and address requests for more stringent scoping and testing.
Altogether there are 11 main changes to requirements 5 (use and regularly update anti-virus software on all systems commonly affected by malware), 8 (assign a unique ID to each person with computer access), 9 (restrict physical access to cardholder data), 11 (regularly test security systems and processes) and 12 (maintain a policy that addresses information security).
The change to five will require “evaluate evolving malware threats for any systems not considered to be commonly affected” while three changes to step eight around using unique authentication credentials by service providers and linking tokens to an individual account.
The two changes to requirement 9 are on controlling physical access to sensitive areas for onsite personnel, including a process to authorise access and revoke access immediately upon termination, and protecting devices that capture payment card data via direct physical interaction with the card from tampering and substitution.
Two changes to requirement 11 are implementing penetration testing and being able to respond to any alerts detected by the change detection mechanism, while two changes to requirement 12 regard maintaining information about which PCI DSS requirements are managed by each service provider.
Bernard Zelmans, general manager EMEA at FireMon, welcomed the changes as a move from a security check box posture to a more holistic risk management approach. “This will hopefully entail a more security centric approach to PCI compliance rather than the least common denominator approach of earlier versions of PCI,” he said.
“Moving to a risk management centric goal is one that many within the industry have clamoured for, and if the new risk based approach will result in organisations adopting better security standards, then PCI DSS 3.0 will have succeeded where its predecessors have come up short.”
Ross Brewer, vice president and managing director for international markets, LogRhythm, said: “A big concern is that organisations tend to view compliance as a one-off obligation, taking a check-box approach which leaves security a mere afterthought once certification has been achieved. This is simply unforgivable in this day and age, and indicates a clear lack of common sense – particularly when security breaches are reported so frequently and customer confidence continues to nosedive.
“Instead, security must be an ongoing, active process – which is where I welcome the introduction of security training and collaborative efforts as part of the new compliance requirements.”
Michael Aminzade, director of delivery for EMEA & APAC at Trustwave, welcomed the changes but said that the risk management area of PCI 3.0 still needs more work.
“The main area of concern is that even though the new standards references risk management strategies that must be met, the standard doesn’t enforce companies to adopt any of those strategies,” he
“In particular the standard doesn’t address the fact that risk assessments need to be done by an industry-certified professional and are only performed on an annual basis. Also, PCI DSS 3.0 does not include any changes surrounding mobile security. Merchants are struggling with how to protect mobile payment solutions and integrating mobile devices into their organizations. The Council released a best practices guide for mobile security more than a year ago, but it would be more beneficial to release additional guidance pertaining to mobile data security.
Lastly, the PCI DSS 3.0 standard needs a section that highlights the expanded use of security tools (beyond vulnerability scanning) that all merchants should use.”
Also, Kurt Hagerman, director of information security at FireHost, said that the revisions will mean an increase in time and costs for organisations to remain compliant, especially with the “business as usual activity” as a means of maintaining on-going PCI DSS compliance.
He said: “The revisions made for the latest version of the PCI standards will go a long way to improving the quality of assessments and reducing overall risk. Whereas with previous iterations of the standards companies would be told how to meet each requirement, with PCI DSS 3.0 they are given both a more detailed explanation of the requirement and the ways of meeting it – a much more effective approach indeed.”