There's a new version of the Payment Card Industry standard for network security -- PCI 3.0 – out today from the group overseeing its publication, the PCI Security Standards Council.
If your organization accepts or processes payment cards, here's what's new that you need to know:
Demonstrate evidence that the environment scoped as PCI is truly inaccessible to the rest of the network.
— Bob Russo, GM of PCI Security Standards Council
- Implement a method for penetration testing of the network segments used for storing or processing payment cards. This network area is called “PCI scope” in the jargon of PCI standards and compliance testing. According to council general manager Bob Russo, the idea is you have to “demonstrate evidence that the environment scoped as PCI is truly inaccessible to the rest of the network.” He says this is a new requirement because there hasn’t been enough testing of the internal network.
But the council doesn’t plan to have a list of approved penetration-testing products or services for this because it’s assumed that the organization can do this on its own. “This is something new and will require additional work from service providers and merchants,” says Rodolphe Simonetti, managing director of Verizon’s Card Industry Services, about the new PCI requirement. He says the aim of the PCI penetration testing is to “validate scope,” and basically that could be done through White Hat hacking methods to see if it’s possible to break in to a defined PCI network segment. Simonetti also notes that using point-to-point encryption is one way to define network “scope” and Verizon believes P2P encryption will play a larger role in the future, especially in mobile-payments processing.
Troy Leach, CTO at the council
- Physical security considerations related to payment-card data get more attention in PCI 3.0. Troy Leach, CTO at the council, says one new requirement involves “common-sense testing and looking for physical tampering of systems in the retail environment and face-to-face transactions.” This especially pertains to physical point-of-sale systems, where recommendations are expected to be carried out to prevent card data being skimmed off by crooks. This might include things as simple as regularly looking at the point-of-sale device to see if it or connected wires have been tampered with. This goes for smaller as well as larger merchants, Troy points out. He adds that Qualified Security Assessors (QSA) that conduct formal assessments for purposes of PCI compliance can be expected to be asking in the future about what programs are in place to educate personnel about card skimming and fraud.
- Application security is also an area where the council is putting more emphasis in the PCI guidelines. Russo says he’s been dismayed that so many software developers not only haven’t heard of PCI standards but don’t even know about application vulnerabilities spelled out by the Open Web Application Security Project or SANS Institute. But these application flaws are being exploited by attackers to steal payment-card data, he notes. In PCI 3.0, organizations will need to demonstrate that they tested applications for payment cards to withstand well-known security flaws and used industry secure-coding practices. This means verifying the integrity of the source code during the development process, too. Under the PCI rules, vendors with remote access to customer premises for support and maintenance, for example, must use unique authentication credentials for each customer.
- Remote access and authentication overall also sees a few changes and clarifications in comparison to the older PCI 2.0 version of the standard. Service providers have to use unique authentication credentials for each customer if they don’t already. And physical and logical security tokens, smart cards and certificates must also be linked to an individual account and ensure only the intended user can gain access. This could bring about changes for how some networks use administrative access based on SSH encryption, for example.
- Anti-virus protection has long been a requirement under the PCI rules, but in PCI 3.0, the council adds some nuances about fighting malware. Questions have come up when QSAs go into data centers where there’s a mainframe that doesn’t have anti-virus software, for instance, and the question is whether or not the system could be impacted by malware, CTO Leach says. Practical questions about risk management in these cases not only means turning to approaches that are not traditional anti-virus, but using “compensating controls” and simply continuing to “evaluate evolving malware threats for any systems not considered to be commonly affected.”
Russo says that PCI 3.0 takes effect Jan. 1, 2014, but merchants and service providers “still have a year in which to sunset the old version” of the standard. The council, started in 2006 by the card associations including Visa and MasterCard, has more than 650 participating organizations, including merchants, banks, processors and vendors. The council says it got two years of input for PCI 3.0 from about 1,700 attendees at its community meetings around the world.
Some security experts say it’s what they don’t see in the new PCI v. 3.0 standard that jumps out at them, though.
Greg Rosenberg, security engineer at Trustwave, expressed disappointment that PCI 3.0 contains no specific guidance on mobile-payment applications, an area of huge interest to banks and merchants.
“The architecture for mobile devices is different,” says Rosenberg, noting that smartphones and tablets that can be used for card payment processing introduce a new range of products -- and new threats aimed at exploiting them. “How do I extend vulnerability scans against mobile?”
Rosenberg says there is much discussion in the industry now on how to appropriately secure mobile under PCI guidelines, but he’s disappointed the council didn’t take up that topic specifically in PCI 3.0. At most, the industry today looks to “best practices” guidelines the council published over a year ago separately for mobile outside of the PCI standard itself.
Industry needs the council to dig more deeply into the mobility question related to PCI, says Rosenberg, adding the ongoing battles between the card-payment associations and others over mobile payment strategies may be slowing down the ability of the council to be more definitive about mobile security. He thinks there’s a “gap” today and without PCI guidance, the danger is many developers may not take steps for security in mobile payment-card processing.
Asked about mobile, the PCI Council’s Russo and Leach acknowledge PCI 3.0 doesn’t single out mobile for special comment, but say nothing in PCI 3.0 should be thought of as not applying to mobile either.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: firstname.lastname@example.org