The main security topics to lead us into 2015.
Hopefully you’ve heard that the Payment Card Industry Data Security Standard (PCI DSS) has changed…again. In November of 2013, the PCI Council released PCI DSS version 3.0 and set the compliance deadline for January 2015.
With the deadline of January 1, 2015 passed, many businesses still aren’t even close to compliance with the new standard.
SEE ALSO: PCI DSS 3.0: 10 Commonly Asked Questions
Changing technologies often improve business efficiency, but aren’t bulletproof to the weaknesses consistently found and exploited by hackers.
New security regulations like PCI 3.0 are released to protect new technologies against recent hacking trends.TweetIn my opinion, Requirement 4.1 is the biggest PCI 3.0 change for franchisees. Many franchises and chains use satellite communications to connect locations. According to the newest version, it’s no longer acceptable to rely on the link provider’s system security. It’s your responsibility to encrypt satellite communications containing cardholder data so it remains secure.
If your franchisor hasn’t already asked you to begin implementing PCI 3.0 changes, they (or your bank) probably will soon. Here are three themes I’ve seen while reviewing additions to the newest PCI standard.
1. Make sure sensitive data is kept from prying eyesSecurity clearances aren’t just for high-tech companies and weapons manufacturers. For example, restricting access to the administrative portions of point-of-sale (POS) systems or hotel management applications can lower the chance of malware entering a system.
SEE ALSO: The Ultimate Guide to PCI DSS 3.0
PCI 3.0 digs deep into employee restrictions to safeguard access to customer data with a handful of new requirements.
- Requirement 5.3 reminds us that anti-virus shouldn’t be able to be altered without managerial approval. If just anyone can turn off anti-virus, they could leave a business vulnerable to malware that could slip past the unguarded system.
- Requirement 7.1.1 requires a role-based access control system. This means employee access to card data and systems should only be granted on a need-to-know basis.
- Requirement 9.3 is all about controlling physical access to sensitive areas. If an employee’s job doesn’t require them to have access, make sure they don’t have access.
2. Review, revise, repeatFrom my security experience, many breaches are caused in part by a lack of process review. Errors can easily occur because of ignorance, poor planning, lack of attention, or timing and can lead to security decay.
The PCI Council definitely thought double-checking software, processes, and devices was an important part of a secure business environment.
- Requirement 9.9.2 ensures merchants regularly examine POS devices to make sure they haven’t been tampered with. This is especially important in the case of POS systems that are left out in the open and unattended for a long period of time (such as gas station terminals).
- Requirement 10.6.2 states the importance of reviewing logs of all system components. Periodically reviewing logs helps determine if suspicious activity is occurring.
3. Give me documentation or give me death!Documentation is a four-letter word to most businesses. Ugh! Who wants to devote precious resources to documentation? Well, the upsides are significant. Documentation is the failsafe that keeps your hands clean, keeps your company transparent, and keeps your security efforts organized.
That’s probably why PCI version 3.0 has so many new requirements about documentation.
- Requirement 1.1.3 asks merchants to create a cardholder data flow diagram to show how cardholder data enters and flows through the network.
- Requirement 2.4 requires a document that lists all in-scope devices and their function. (That means every POS system, computer, mobile device, etc.)
- Requirement 9.9.1 is very similar to 2.4, and requires merchants to maintain an up-to-date list of all devices including physical location, serial numbers, and make/model.
- Requirement 11.1.1 asks merchants to maintain a complete list of authorized wireless access points and justify why they are needed in the business environment.
- Requirement 12.8.5 requests two lists: the PCI requirements your third party service provider meets, and a list of PCI requirements your business is required to meet. This requirement was given to attempt to avoid miscommunication between third parties and merchants on who was responsible for what PCI requirements. In a franchisee’s case, it would probably be beneficial to have a similar list explaining the security responsibilities of both you and your franchisor.
Want a more intense overview of the PCI DSS 3.0 changes? Check out this blog.
Whew. Even though I didn’t go over every single change from PCI 2.0 to PCI 3.0, that was a lot to take in. Hopefully you can take what you’ve learned and begin to apply it in your security processes today. Start examining your physical devices for tampering, begin your list of wireless access points, and instigate company-wide role-based employee access. I promise you’ll be more secure.
Giles Witherspoon-Boyd (PCIP) is Enterprise Account Manager at SecurityMetrics and assists businesses in defining their PCI DSS scope. Follow him on Twitter and check out his other blog posts.