Compliance Week: New Standards for Payment Card Security Take Effect
Compliance Week | January 14th, 2014
By Jaclyn Jaeger
A brand new set of IT security standards governing how companies should protect consumers’ credit card data took effect this month, creating new compliance headaches for any company that stores, processes, or transmits cardholder data.
The Payment Card Industry Security Standards Council released version 3.0 of the PCI Data Security Standards (PCI DSS), significantly raising the bar on payment card data security by establishing several new compliance requirements for a wide range of industries, including retailers, payment card processors, financial institutions, and service providers. The standards were last updated in 2010.
The updated standards come as some retailers, including Target, Neiman Marcus, and others have revealed massive thefts of credit card information by hackers. While the new controls could help limit such data breaches, keeping up with the changes is no easy task, say data security companies. With each version comes additional changes, “so by the time a company has it all figured it out, a new version comes out, and they have to implement additional controls,” says Gene Geiger, a director at A-lign Security and Compliance Services, a security assessment firm.
The PCI Security Standards Council, an open global forum responsible for the development of the PCI Security Standards, was founded in 2006 by five global payment brands—American Express, Discover Financial Services, JCB International, MasterCard, and Visa. The Council does not impose penalties for non-compliance; these areas are governed by the payment brands themselves.
The main focus of PCI DSS 3.0 is to shift PCI compliance from being a once-a-year exercise in reviewing business processes to making such monitoring part of the overall fabric of the company, Geiger adds.
The new standards will be phased in over time. Although the new standard took effect at the start of the year, compliance with both version 2.0 and 3.0 will be acceptable until Jan. 1, 2015. After that time, compliance with version 3.0 will become mandatory, with the exception of certain complex changes, which will be deemed “best practice” until July 1, 2015, when they officially take effect.
One of the most significant changes calls for enhanced penetration testing to verify that companies properly segment cardholder data environment—the people, processes, and technology that process, transmit, and store cardholder data—from other network systems. “Segmentation equals isolation,” says Michael Aminzade of information security firm Trustwave.
“For all of us in retail, we’re going to see the biggest impact around segmentation,” says Thomas Borton, director of IT security and compliance for home furnishings retail chain Cost Plus World Market, and a member ISACA’s Knowledge Board.
Companies must further perform penetration tests to demonstrate that the segmentation methods are operational and effective. Unlike PCI DSS 2.0, version 3.0 requires that a “qualified security assessor” perform the testing.
The requirement for a certified security expert will increase the cost of compliance says Borton. “That means a lot more preparation by the security folks,” he says. More testing translates into “a lot more billable hours to our external QSAs,” he adds.
New POS Device Safeguards
The new standards also now require that retailers inventory and protect point-of-sale (PoS) devices—the devices that consumers use to swipe their cards when making purchases. From a compliance point-of-view, knowing the location of each PoS device is a fairly manageable task, says Borton. “We know which stores are given PoS devices,” he says.
Where the real compliance challenge lies is in the additional requirement that retailers perform periodic on-site inspections in every store where PoS devices are located to inspect them for evidence of tampering and further train their employees at those locations on how to detect and prevent tampering.
For large global retailers, “that’s going to be a tremendous task,” says Geiger. “That is the biggest one that merchants need to start now, because it’s going to take time to get those procedures in place.”
Even for small- to mid-size companies, such as Cost Plus World Market, that’s a tremendous task. “I don’t have an information-security person in every store,” says Borton.
Rush Taggart, chief security officer at service provider CardConnect, says many companies don’t have the expertise at the store level to conduct such inspections. “How is a sales clerk going to identify physical modifications?” he says. “These are not technical people being asked to verify these devices.”
For companies with large sales forces that use significant numbers of PoS devices, Taggart adds, this requirement is going to prove to be a “tremendous training challenge” in terms of how to achieve this particular compliance task.
Service Provider Duties
PCI DSS 3.0 also includes newly established responsibilities for service providers. Retailers are not the only ones who have access to customers’ credit card data in the payment-process chain, explains Geiger. In many cases, retailers turn to service providers to host the servers on which the credit card numbers run, or they are responsible for the back-up of that data, he says.
To address this gap in security, retailers must document which of the more than 200 requirements are managed by each service provider and which are managed by the retailer itself. “That’s going to impact our clients quite a bit,” says Geiger, adding that A-lign focuses heavily on the service provider space.
Taggart agrees. “Vendor negotiations are never easy, and this is just going to significantly increase the difficulty of negotiating service provider agreements,” he says.
“As a service provider, these are the changes we need to include in our plan,” adds Taggart. “We’re audited by an external firm, so I’m planning on starting next month for the changes, so that I can be ready when our 2014 assessment happens in September.”
PCI DSS 3.0 also prohibits service providers from using the same user ID and password for multiple retailers where they install card-swipe machines. If one retailer has its user ID and password compromised, and that retailer experiences a breach, that opens up vulnerabilities at all those other retailers. In fact, several breaches that have occurred over the last year have been the result of such security gaps, experts say.
More Clarifications
Not all of the new standards make compliance more difficult. With earlier versions of PCI, companies were receiving many different answers from security assessors on interpretation of the standards, explains Taggart. “The good news is that they’ve clarified a lot of the language,” he says.
PCI DSS 3.0 also addresses knowledge gaps by adding clarifications in many areas of the standards on exactly how to comply. “The individuals that are responsible for implementing and performing the controls still aren’t fully educated or aware of what they’re supposed to be doing,” says Geiger. The new standards include more guidance for them.
The one caveat is that some QSAs have varying opinions as to how the standards will apply to each cardholder environment, says Geiger. As a result, knowing the full effect of the standards will not be possible without first meeting with your QSA and reviewing all the changes to the new standards, he says.
Borton says the only way that with each new version of the PCI standards, he needs to “sit down with my QSA and go through item-by-item on what their strategy is going to be, so they can feel comfortable on signing off the review of my system.” Retailers must also clearly communicate with their QSAs “to know exactly what their expectations are, and then budget for them.”
Read the full article here on Compliance Week.