PCI 3.0: What You Need to Know
What requirements changed from PCI 2.0, and why?
The PCI DSS was updated for the fourth time (1.0, 1.2, 2.0, 3.0) in November 2013. As always, the changes the PCI Council made address the latest vulnerabilities and include additional clarification and new guidance.
While we won’t cover every single nitty-gritty aspect that changed from 2.0 to 3.0 (like all the clarifications), we are covering the most important changes affecting the majority of merchants.
The newest Payment Card Industry Data Security Standard (PCI DSS) officially goes into effect on January 1, 2015. With the introduction of PCI DSS version 3.0, many merchants want to know how it will affect their business. Here are answers to a few commonly asked questions.
Requirement 0 – PCI Intro
The introduction section probably holds the biggest change for PCI 3.0. Web redirection systems are now defined as system components, which means they’re now part of scope for PCI DSS.
The principal of redirection is when a website points users to a third party that collects and processes all card data. Another form of redirection is client side redirection, in which a customer types card data into a web form generated by the merchant, and is then sent directly to a third party. Either way, card data will not pass through the original website.
In the past, these forms of redirection were validated using SAQ A, but new emphasis in PCI DSS 3.0 changes that.
This new direction will affect many merchants who were previously completing an SAQ A and now must move to an SAQ A-EP, which is significantly longer and includes things such as external vulnerability scans and penetration testing. The reason behind this requirement change? If a hacker is able to manipulate redirection code, he could direct your customers to a fake payments page that looks identical to the one you had originally outsourced.
Attacker directing customers to a fake payments page (i.e., man-in-the-middle attack)
A cardholder data flow diagram should show how cardholder data enters your network, the systems it touches as it flows through your network, and any point it may leave your network (e.g., sent to a payment processor). You’ll want to maintain a diagram for each card flow that exists. Most businesses will have just one flow, but you might also have an additional flow if your website processes payment cards.
Physically creating a document that explains the processes will help you better understand where card data lives on your network.
This requirement involves a document that lists all in scope device types and their function (e.g., POS systems, computers). This inventory list is also a great place to document software/firmware versions. If you’re feeling a little daunted by this task, interviewing department heads is a great place to start.
In addition to GSM (cellular) connections and wireless Internet, it is now required that any communication that includes cardholder data sent over satellite should be encrypted. Depending on your business, this may not have much impact.
There is many large retail chain clients (e.g., gas stations, hospitality, restaurant chains). Many of these chains use satellite communications between chains and even as a backup connection. According to the PCI Council, it’s no longer good enough to rely on the link provider’s system security. It’s your responsibility to keep this data secure.
For systems not commonly affected by viruses and don’t have anti-virus software installed, you are required to implement and document a new process that shows you periodically evaluate these systems against emerging threats.
The point of Requirement 5.1.2 is to acknowledge hackers invent new ways to hack into systems every day. It requires merchants to research and pay attention to security notices from PCI vendors. If a new attack method is deemed a threat to your system, evaluate if the threat requires anti-virus.
This requirement states that anti-virus can’t be altered without managerial approval. Often, anti-virus needs to be turned off to do system maintenance. During maintenance, who knows what could slip past your unguarded system.
Our advice is, if you are updating an application that requires disabling an anti-virus, don’t. Instead, take that system off the network or cut off its Internet connectivity for that period. As a side note, it’s not OK for system admins to just give all users admin access to get around the requirement. That’s missing the point entirely.
Any custom software application for a cardholder environment (whether in-house or commissioned by a third party developer) is under your jurisdiction. It’s ok to outsource your software development, but it’s not OK to outsource your responsibility to ensure secure development practices are followed. If you’re planning to use the application, remember that it’ll be part of your PCI assessment…not your third party’s.
This requirement to protect against broken authentication was added to fix common application vulnerabilities. You should create/add/adjust your application code to mitigate any exposure to vulnerabilities. This can be done through not exposing session IDs in URLs, using secure cookies, and enforcing appropriate session timeouts.
You’re required to have a role-based access control system. That means access to card data and systems should only be granted on a need-to-know basis. PCI 3.0 requires a defined list of the roles that have access to the card data environment.
On this list, you should include each role, definition of each role, access to data resources, privilege level, and what privilege level is necessary for each person to perform normal business responsibilities. Users must fit into one of the roles you outline.
Organizations are now required to not just document, but also train their users on how to implement password policies. This training should include guidance on how to select a strong password, how to secure it, and instructions not to reuse it.
It’s also crucial that you communicate password policy to your users. This will help them understand how to change their passwords and also not to use the same password between work and home.
This new requirement is targeted specifically towards service providers who have remote access into a customer environment. This is common practice with vendors who do remote support or software training.
Any service provider with access to multiple customer systems is now required to maintain unique credentials for each customer environment. The PCI Council knows this requirement in particular will take some time to change, so they’ve given until July 2015 before this is officially required.
The use of alternative authentication mechanisms (e.g., logical tokens, smart cards, certificates) must be tied to an individual user account and not shared among user accounts. To ensure this is met, every merchant must implement a control to enforce those authentication methods can only be used by the intended user (e.g., requiring a PIN, password, or biometric scan in addition to the token to validate the person is authorized).
This requirement is all about controlling employee access to sensitive areas, which must be related to an individual’s job function. To meet this requirement, I suggest documenting exactly who has access to these environments and their business need. Access must be kept up to date, especially when individuals are terminated or their job role changes.
This is a huge addition to the PCI standards. Organizations that use point of sale systems,PIN pads, mobile devices etc., are required to do three new things:
- Maintain an up-to-date list of all devices (9.9.1) including physical location, serial numbers, make/model.
- Periodically inspect devices (9.9.2). That means looking at device surfaces to make sure they haven’t been tampered with, making sure the serial numbers match, checking that seals haven’t been broken, etc. This could be a very large task depending on the size of your organization. Whether you inspect devices every day or month is based on how at risk you are of tampering (e.g., publically accessible 24/7 gas station terminals vs. a behind-the-counter card swipe device). Make sure you document what you find.
- Provide staff awareness training (9.9.3) for staff that interact with card present devices on a day to day basis (e.g., cashiers), and record the who, what, and when for future reference. Ideally, the training will help staff detect any suspicious activity around a payment device. Training should include how to report suspicious behavior and what to do when third parties claim they need to work on the system. For example, rather than assuming IT came in last night to install a new device on the side of her terminal, an employee should question if its supposed to be there and notify appropriate persons.
Depending on its size and complexity, this requirement could have a large impact on your environment. In addition to the logging requirements in 10.6.1, you’re now required to review logs of all other system components periodically, based on your policies and risk management strategy.
Lots of different systems in your environment may impact your payment security. As part of your annual risk assessment, you need to identify systems that pose risk and define a process to periodically look at their logs to determine suspicious activity.
Maintaining a complete list of authorized wireless access points will require extra documentation, especially in large environments. This list should include a documented business justification for each wireless access point.
It’s difficult to determine which wireless devices to remove if you don’t have an accurate list of them to begin with. That’s why the PCI Council requires you create a total list. If you’re a small ecommerce provider and all your systems fit into a single rack in your data center, this requirement should be pretty easy. If you’re a widespread organization, it will take a bit more time.
The rewrite of section 11.3 is intended to provide additional guidance to both merchants and penetration testing organizations on penetration testing’s intended coverage.
The rewrite of section 11.3 is intended to provide additional guidance to both merchants and penetration testing organizations on penetration testing’s intended coverage.
Penetration testing organizations are now required to have documented and standardized testing methodologies that meet industry accepted standards, such as NIST 800.115. In addition, guidance is provided on how best to scope the penetration test and identify critical systems.
A penetration test Special Interest Group has been organized by the PCI Council to help merchants and penetration test organizations best interpret this new set of requirements. Results from this SIG group are expected near the end of 2014.
The PCI Council knows this requirement in particular will take some time to change, so they’ve given until July 2015 before the changes in the penetration testing requirement become official. However, this doesn’t mean you can wait to receive a penetration test until July 2015. The guidance provided in PCI DSS 2.0 for penetration testing is still valid until then.
Not only should merchants maintain a list of a third party service providers, but now they must maintain a list of all PCI requirements their service provider meets, and a list of PCI requirements they’re required to meet.
In conjunction with Requirement 12.8.5, service providers are now required to provide written documentation to all customers stating which PCI requirements they cover on their behalf. These two requirements attempt to avoid past miscommunication problems between service providers and merchants.
Overall, PCI DSS 3.0 focuses on detecting, rather than reacting to, security vulnerabilities. With improved aspects like documentation and system monitoring, 3.0 will increase proficiency among merchants, service providers, and PCI vendors alike.
10 Commonly Asked Questions
The new SAQ-A EP form is designed for eCommerce merchants using client side redirection.
1. Why is there a new standard?
As always, new security guidance addresses the latest vulnerabilities affecting today’s merchants and also includes additional clarification. Three main reasons contributed to this updated security standard:
- Additional guidance: New guidance sections provide layman’s explanations of why standards are important and how noncompliance may put your business at increased risk.
- Evolving requirements: As technology, threats, and security risks change, the PCI DSS must adapt to the changing environment. PCI DSS 3.0 has evolved to not only address emerging threats, but also new technology like EMV, P2PE, and mobile payments.
2. Who does this affect?
The transition from PCI 2.0 to PCI 3.0 will affect everyone governed by PCI. If you store, process, or transmit payment card information, this change affects you.
3. When is the PCI DSS 3.0 deadline?
January 1, 2014 was PCI 3.0’s effective date. However, PCI DSS 2.0 compliant merchants have until January 1, 2015 to transition to the new standard. Some changes will continue to be best practices until June 1, 2015 (see question 8).
This means merchants do not need to revalidate until their compliance expires. For example, if your annual validation occurs in November 2014, you technically don’t need to validate compliance to 3.0 until November 2015. However, you are required to be compliant with the new standard starting January 1, 2015.
4. What does PCI DSS 3.0 mean for my business?
If you follow PCI 3.0 requirements, you will eliminate the majority of your business risk to compromise. PCI DSS 3.0 focuses on detecting, rather than reacting to, security vulnerabilities. But the standard only works if merchants comply. The best thing merchants can do now is review their compliance status. If you have a passing grade, great! Now it’s time to review PCI 3.0 requirements to make sure you will be in compliance once January 1, 2015 hits. If you have a failing grade, PCI 3.0 is a great time to reevaluate your security and begin securing your business.
5. What will happen on January 1, 2015?
If you haven’t complied with PCI 3.0 by January 1, 2015, you will technically be in violation of PCI DSS. If you are compromised, you may face heavy fines due to your noncompliance.
6. What is the biggest change for ecommerce merchants?
If you are an ecommerce merchant, the biggest change for you will be the new SAQ A-EP. Originally, ecommerce merchants were validated using SAQ A but many of those merchants must now move to a SAQ A-EP, which includes more requirements. Learn which ecommerce methods qualify for SAQ A-EP.
7. What new documentation does PCI DSS 3.0 require?
Documentation is a key theme of PCI 3.0. For example:
- 1.1.3 requires a cardholder data flow diagram that shows how cardholder data enters your network.
2.4 involves the creation of an inventory list of all your in-scope device types and their function (e.g.,
- POS systems, computers).
- 9.9.1 requires an up-to-date list of all devices, including physical location, serial numbers and make/model.
- 11.1.1 involves maintaining a complete list of authorized wireless access points and the justification for each.
- 12.8.5 requires a list of all third party service providers in use, a list of all PCI requirements the service providers meet, and a list of PCI requirements the merchant is required to meet
8. What are the new ‘best practice’ requirements?
The PCI Council knows some requirements will take more time for merchants to apply. There are six requirements considered ‘best practice’ until they are officially required on June 2015. They are:
- 6.5.6: Insecure handling of PAN and SAD in memory
- 6.5.11: Broken authentication and session management
- 8.5.1: Unique authentication credentials for service providers with access to customer environments
- 9.9: Protecting of point-of-sale devices from tampering
- 11.3: Developing and implementing a methodology for penetration testing
- 12.9: Additional requirement for service providers on data security
9. How can I ensure compliance with PCI DSS 3.0?
The only way to ensure lasting compliance with the PCI DSS 3.0 is to make data security part of your company culture. According to Bob Russo, GM of the PCI Security Standards Council, PCI 3.0 is “about making PCI compliance part of your business, not a once-a-year, study-for-the-test kind of thing.” The new standard helps you implement security controls without disrupting your day-to-day processes—allowing you to focus on your business while maintaining appropriate data protection.
10. What is ASV’s are doing to help me with PCI DSS 3.0?
To simplify the transition, Your ASV will update its SAQs, customer interface, and PCI scoping wizard on January 1, 2015. As part of the PCI 3.0 SAQ, select standards will be written in easy-to-understand language for the ease of the user. Because PCI 3.0 introduces more SAQs, your ASV will offer combination SAQs when more than one SAQ applies.