The new Payment Card Industry Data Security Standard 3.0 (PCI DSS 3.0) that went into effect on January 1 contains significant changes. Some of the requirements will remain suggested best practices until July 1, 2015. After that, they too become mandatory.
PCI 3.0 will have the greatest impact on e-commerce merchants who partner with third parties for payment card data collection, along with third party service providers who remotely manage merchant systems and networks. Up to version 2.0 of the PCI DSS, fully outsourcing an e-commerce payment system via a redirect payment company put the web environment out of scope. The web environment didn’t touch payment card data, and therefore did not have to meet PCI requirements.
But now, under the PCI DSS 3.0, certain redirect scenarios – in particular those that utilize client-side scripts and direct posts- will require merchants to implement over one hundred security controls. These controls include vulnerability scanning and penetration testing.
The most significant changes are found in the following sections of the PCI DSS 3.0:
PCI 8.5.1: “Service providers with remote access to customer premises must use a unique authentication credential (such as a passphrase) for each customer.” Retailers should do their due diligence and ensure that their service providers are in compliance.
PCI 9.9: Devices that capture payment card data via direct physical interaction with the card from tampering and substitution.” This stipulation addresses skimmer devices, as well as theft of card-reading devices and terminals in order that criminals can reverse-engineer them. Retailers should verify that all POS hardware is secured.
PCI 11.3 Implement a methodology for penetration testing that includes the following:
- Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
- Includes coverage for the entire CDE perimeter and critical systems
- Includes testing from both inside and outside the network
- Includes testing to validate any segmentation and scope-reduction controls
- Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
- Defines network-layer penetration tests to include components that support network functions as well as operating systems
- Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
- Specifies retention of penetration testing results and remediation activities results
PCI 12.9: “Additional requirement for service providers: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.” Retailers should ensure that their contracts reflect this requirement, or are updated accordingly.
BAI Security’s IT Security Assessments help retailers gauge their PCI compliance readiness, identify gaps, and can assist in developing a remediation plan. BAI Security Assessments utilize consistently proven (repeatable) methodology and established industry best-practices to gauge an organization’s compliance with applicable regulatory requirements. Find out more here, and let us know how we can help you to achieve PCI DSS 3.0 compliance efficiently and effectively.
Remember too that PCI DSS is a baseline for security. To comprehensively protect sensitive data and systems from cyberattacks, many retailers need to move beyond PCI DSS. BAI Security can work with you to develop a risk-based security plan that makes sense for your business.