What requirements changed from PCI 2.0, and why?

Gary Glover, Director of Security Assessments
By: Gary Glover
The PCI DSS was updated for the fourth time (1.0, 1.2, 2.0, 3.0) in November 2013. [PCI DSS Version 3.0 was retired on 30 June 2015. Check out PCI 3.1] As always, the changes the PCI Council made address the latest vulnerabilities and include additional clarification and new guidance.

SEE ALSO: 10 Common Questions About PCI DSS 3.0

While I won’t cover every single nitty-gritty aspect that changed from 2.0 to 3.0 (like all the clarifications), I’m covering the most important changes affecting the majority of merchants.

SEE ALSO: PCI DSS FAQ


Requirement 0 – PCI Intro

The introduction section probably holds the biggest change for PCI 3.0. Web redirection systems are now defined as system components, which means they’re now part of scope for PCI DSS.

The principal of redirection is when a website points users to a third party that collects and processes all card data. Another form of redirection is client side redirection, in which a customer types card data into a web form generated by the merchant, and is then sent directly to a third party. Either way, card data will not pass through the original website.

In the past, these forms of redirection were validated using SAQ A, but new emphasis in PCI DSS 3.0 changes that.

The new SAQ-A EP form is designed for ecommerce merchants using client side redirection.

Review thenew PCI 3.0 SAQ forms

This new direction will affect many merchants who were previously completing an SAQ A and now must move to an SAQ A-EP, which is significantly longer and includes things such as external vulnerability scans and penetration testing.
The reason behind this requirement change? If a hacker is able to manipulate redirection code, he could direct your customers to a fake payments page that looks identical to the one you had originally outsourced.
Attacker directing customers to a fake payments page (i.e., man-in-the-middle attack)


Requirement 1.1.3

A cardholder data flow diagram should show how cardholder data enters your network, the systems it touches as it flows through your network, and any point it may leave your network (e.g., sent to a payment processor). You’ll want to maintain a diagram for each card flow that exists. Most businesses will have just one flow, but you might also have an additional flow if your website processes payment cards.
Simple card present flow diagram

Physically creating a document that explains the processes will help you better understand where card data lives on your network.


Requirement 2.4

This requirement involves a document that lists all in scope device types and their function (e.g., POS systems, computers). This inventory list is also a great place to document software/firmware versions. If you’re feeling a little daunted by this task, interviewing department heads is a great place to start.


Requirement 4.1

In addition to GSM (cellular) connections and wireless Internet, it is now required that any communication that includes cardholder data sent over satellite should be encrypted. Depending on your business, this may not have much impact.

SecurityMetrics has many large retail chain clients (e.g., gas stations, hospitality, restaurant chains). Many of these chains use satellite communications between chains and even as a backup connection. According to the PCI Council, it’s no longer good enough to rely on the link provider’s system security. It’s your responsibility to keep this data secure.


Requirement 5.1.2

For systems not commonly affected by viruses and don’t have anti-virus software installed, you are required to implement and document a new process that shows you periodically evaluate these systems against emerging threats.

The point of Requirement 5.1.2 is to acknowledge hackers invent new ways to hack into systems every day. It requires merchants to research and pay attention to security notices from PCI vendors. If a new attack method is deemed a threat to your system, evaluate if the threat requires anti-virus.


Requirement 5.3

This requirement states that anti-virus can’t be altered without managerial approval. Often, anti-virus needs to be turned off to do system maintenance. During maintenance, who knows what could slip past your unguarded system.

My advice is, if you are updating an application that requires disabling an anti-virus, don’t. Instead, take that system off the network or cut off its Internet connectivity for that period. As a side note, it’s not OK for system admins to just give all users admin access to get around the requirement. That’s missing the point entirely.


Requirement 6.3

Any custom software application for a cardholder environment (whether in-house or commissioned by a third party developer) is under your jurisdiction. It’s ok to outsource your software development, but it’s not OK to outsource your responsibility to ensure secure development practices are followed. If you’re planning to use the application, remember that it’ll be part of your PCI assessment…not your third party’s.


Requirement 6.5.10

This requirement to protect against broken authentication was added to fix common application vulnerabilities. You should create/add/adjust your application code to mitigate any exposure to vulnerabilities. This can be done through not exposing session IDs in URLs, using secure cookies, and enforcing appropriate session timeouts.


Requirement 7.1.1

You’re required to have a role-based access control system. That means access to card data and systems should only be granted on a need-to-know basis. PCI 3.0 requires a defined list of the roles that have access to the card data environment.

On this list, you should include each role, definition of each role, access to data resources, privilege level, and what privilege level is necessary for each person to perform normal business responsibilities. Users must fit into one of the roles you outline.


Requirement 8.4

Organizations are now required to not just document, but also train their users on how to implement password policies. This training should include guidance on how to select a strong password, how to secure it, and instructions not to reuse it.

It’s also crucial that you communicate password policy to your users. This will help them understand how to change their passwords and also not to use the same password between work and home.


Requirement 8.5.1

This new requirement is targeted specifically towards service providers who have remote access into a customer environment. This is common practice with vendors who do remote support or software training.

Any service provider with access to multiple customer systems is now required to maintain unique credentials for each customer environment. The PCI Council knows this requirement in particular will take some time to change, so they’ve given until July 2015 before this is officially required.

Requirement 8.6

The use of alternative authentication mechanisms (e.g., logical tokens, smart cards, certificates) must be tied to an individual user account and not shared among user accounts. To ensure this is met, every merchant must implement a control to enforce those authentication methods can only be used by the intended user (e.g., requiring a PIN, password, or biometric scan in addition to the token to validate the person is authorized).


Requirement 9.3

This requirement is all about controlling employee access to sensitive areas, which must be related to an individual’s job function. To meet this requirement, I suggest documenting exactly who has access to these environments and their business need. Access must be kept up to date, especially when individuals are terminated or their job role changes.


Requirement 9.9

This is a huge addition to the PCI standards. Organizations that use point of sale systems, PIN pads, mobile devices etc., are required to do three new things:


  1. Maintain an up-to-date list of all devices (9.9.1) including physical location, serial numbers, make/model.
  2. Periodically inspect devices (9.9.2). That means looking at device surfaces to make sure they haven’t been tampered with, making sure the serial numbers match, checking that seals haven’t been broken, etc. This could be a very large task depending on the size of your organization. Whether you inspect devices every day or month is based on how at risk you are of tampering (e.g., publically accessible 24/7 gas station terminals vs. a behind-the-counter card swipe device). Make sure you document what you find.
  3. Provide staff awareness training (9.9.3) for staff that interact with card present devices on a day to day basis (e.g., cashiers), and record the who, what, and when for future reference. Ideally, the training will help staff detect any suspicious activity around a payment device. Training should include how to report suspicious behavior and what to do when third parties claim they need to work on the system. For example, rather than assuming IT came in last night to install a new device on the side of her terminal, an employee should question if its supposed to be there and notify appropriate persons.


Requirement 10.6.2

Depending on its size and complexity, this requirement could have a large impact on your environment. In addition to the logging requirements in 10.6.1, you’re now required to review logs of all other system components periodically, based on your policies and risk management strategy.

Lots of different systems in your environment may impact your payment security. As part of your annual risk assessment, you need to identify systems that pose risk and define a process to periodically look at their logs to determine suspicious activity.


Requirement 11.1.1

Maintaining a complete list of authorized wireless access points will require extra documentation, especially in large environments. This list should include a documented business justification for each wireless access point.

It’s difficult to determine which wireless devices to remove if you don’t have an accurate list of them to begin with. That’s why the PCI Council requires you create a total list. If you’re a small ecommerce provider and all your systems fit into a single rack in your data center, this requirement should be pretty easy. If you’re a widespread organization, it will take a bit more time.


Requirement 11.3

The rewrite of section 11.3 is intended to provide additional guidance to both merchants and penetration testing organizations on penetration testing’s intended coverage.

Penetration testing organizations are now required to have documented and standardized testing methodologies that meet industry accepted standards, such as NIST 800.115. In addition, guidance is provided on how best to scope the penetration test and identify critical systems.

A penetration test Special Interest Group has been organized by the PCI Council to help merchants and penetration test organizations best interpret this new set of requirements. Results from this SIG group are expected near the end of 2014.

The PCI Council knows this requirement in particular will take some time to change, so they’ve given until July 2015 before the changes in the penetration testing requirement become official. However, this doesn’t mean you can wait to receive a penetration test until July 2015. The guidance provided in PCI DSS 2.0 for penetration testing is still valid until then.


Requirement 12.8.5

Not only should merchants maintain a list of a third party service providers, but now they must maintain a list of all PCI requirements their service provider meets, and a list of PCI requirements they’re required to meet.


Requirement 12.9

In conjunction with Requirement 12.8.5, service providers are now required to provide written documentation to all customers stating which PCI requirements they cover on their behalf. These two requirements attempt to avoid past miscommunication problems between service providers and merchants.


Summary

Overall, PCI DSS 3.0 focuses on detecting, rather than reacting to, security vulnerabilities. With improved aspects like documentation and system monitoring, 3.0 will increase proficiency among merchants, service providers, and PCI vendors alike.

My recommendation? Start your diagrams, lists, and documentation now! Need help with PCI 3.0?We have 24/7/365 SAQ support.

Can't get enough of PCI 3.0? Watch the webinar:

 

PCI questions?

We’re here to help.
801.705.5656

 

 

© SecurityMetrics | www.securitymetrics.com/pci | 801.705.5656 |


Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.