In September, I had the privilege of attending the PCI Security Standards Council community meeting held in Las Vegas to participate in discussions and review the changes in the draft edition of PCI DSS v3.0 (“Draft 3.0”). PCI community meetings are designed to give assessors and participating organizations the opportunity to discuss the planned changes for PCI DSS v3.0 from v2.0 which was released on October 2010. We also had the opportunity of group Q&A and one-one-one visits with representatives from the PCI Security Standards Council (“The Council”) and the major card brands (Visa, MasterCard, American Express, Discover, and JCB). In this post, I want to share a few key takeaways regarding the draft PCI DSS v3.0 and impressions regarding industry trends and the overall state of information security within the payment card industry.
Industry Trends
Insiders still remain the number one threat to high impacting breaches. However, hacking is on significant rise with breaches up 75% since last year. Hackers are finding safe havens in certain parts of the world and are free to hack with impunity in some cases as long as long as they follow certain rules. Russian hackers, for example, can get a free pass from Russian intelligence services as long as they don’t hack Russian targets and answer to the Russian intelligence services upon request to hack priority targets.
Hacking of payment application memory space is a current threat. Hackers are able to design tools that watch the memory space of targeted payment applications and catch credit card numbers as they are being received in memory but before they can be encrypted. Draft 3.0 has specific secure coding and application development requirements for protecting credit card numbers and sensitive authentication data in memory.
EMV (commonly known as “chip and PIN”) standards are expected be finalized in 2014 by the EMV migration forum for EMV standards in the United States. Chip-and-PIN transactions increase the security of card-present or in-person transactions. Card holders in the United States may see new cards using the new EMV standards as early as 2014. The EMV standards are also expected to include standards for near field communications (NFC) transactions which impact transactions made on mobile phones.
PCI Industry Experts Concerns
Only 1% of reported breaches were detected by log analysis. The take-away here is not that log analysis is failing to do its job. Rather, serious investment is needed in log analysis capabilities and training. Simply having a centralized logging solution or SIEM (security information and event management) system does not mean that breaches will be detected.
Unsupported operating systems are big concern especially given that Microsoft Windows XP will lose its status as a Microsoft supported operating system beginning in 2014. This means that security updates and patches will no longer be released by Microsoft for Windows XP. The Council recommends remediating, replacing, upgrading, or switching to a supported operating system. Having Microsoft Windows XP in the cardholder environment is likely to cause security and compliance issues unless there are significant compensating controls and system isolation in place. Upgrading or switching to another operating system could mean significant effort and cost so organizations should consider these issues in their IT strategy and budget planning meetings.
Tablets and mobile devices are an emerging threat. Organizations should make plans to secure tablets and mobile devices connected to their environments where hardening standards are available, especially where tablets and mobile devices are used as a payment device. Draft 3.0 does not include any new requirements that apply only to tablets and mobile devices.
Important Changes in Draft 3.0
Draft 3.0 has many changes that PCI industry organizations should consider in their IT strategy and planning meetings. The following are a few I believe are important for organizations to consider planning for now.
The Council clarified that any system that can impact the security of the cardholder environment must be considered in scope. Some systems, such as authentication, antivirus, and file integrity monitoring systems may reside in a network zone outside the cardholder environment. These systems must be considered in scope for all relevant requirements because they can impact the security of the cardholder environment. PCI organizations continue to be responsible setting network boundaries and defining the cardholder environment, while assessors continue to be responsible for validating the scope of the environment.
The Council stressed over and over the importance of validating network segmentation. Segmentation is a principle of limiting network boundaries in order to reduce the number of systems included in the scope of the network environment and in PCI audits. For PCI DSS v3.0, where segmentation is used to reduce scope and limit the network boundaries of the cardholder environment, penetration tests will be required to test the effectiveness of network boundaries. This means that internal penetration tests will need to include the internal network not just on the inside of the cardholder environment but also on the outside of the cardholder environment, from the vantage point of internal network zones that face the cardholder environment.
As a recommendation, The Council recommended that organizations consider having more frequent and more in-depth penetration testing. One suggestion for more in-depth penetration testing is including social engineering aspects into the penetration testing methodology. The frequency of having at least one annual penetration test has not been changed in Draft 3.0. But it will be required to develop and follow an industry-accepted penetration testing methodology beginning in July 2015.
Draft 3.0 now includes supplementary guidance under a business-as-usual (BAU) section. These are activities that organizations should consider to include in their overall information security program to enhance their security posture and information security processes as they relate to the cardholder environment.
In Summary
Changes in Draft 3.0 are intended to address the current trends and security issues in the PCI industry. Credit cards continue to be the target of criminals for financial gain, even more than ever before. With Draft 3.0, organizations responsible for the security of credit card data are given more guidance and more direction. But with that additional guidance and direction, organizations are tasked with doing more than ever before. The challenge for organizations today is not simply meeting compliance requirements but addressing the real security issues that impact cardholder data today.
The final version of PCI DSS v3.0 is planned for release on November 7, 2013.
About the Author
Eric Sampson is a Senior Associate and QSA Lead at BrightLine where he is responsible for PCI validation, EI3PA, SSAE 16 and SOC engagements primarily in the western United States. Eric has specialized in performing security and privacy assessments against industry and regulatory standards such as ISO 17799, HIPAA, GLBA, PCI DSS, and US federal and state and international privacy laws. Eric also specialized in penetration tests and vulnerability scans. Eric also has experience performing Sarbanes-Oxley (SOX) related assessments. Eric has performed many professional services engagements for Fortune 100 and Fortune 500 clients in industries ranging from cloud service providers, technology, and communications, to financial services, health care, and information services.