Skip Links

Forthcoming PCI changes will bring challenges for payment card network community

Expected in Nov., PCI v.3  is expected to include changes in remote access payment handling;  card storage say SSH Communications Security CEO, Tatu Ylonen

By , Network World
October 01, 2013 02:08 PM ET
Tatu Ylonen
Tatu Ylonen

Network World - Organizations that make use of SSH keys for secure access to servers should be aware that they may need to make some changes soon when it comes to managing any of their networks related to payment-card processing, according to the CEO of SSH Communications security, Tatu Ylonen.

That’s because the next version of the Payment Card Industry (PC) standard to be published in early November, PCI v.3, is expected to include some new guidance on authentication and remote access to any network segment that processes or stores payment cards that could impact use of Secure Shell (SSH) cryptographic technology,  Ylonen says.

“Key access clearly can be used in a PCI environment,” Ylonen notes. “But key access across from a boundary forces problems.” Any organization storing or processing payment cards must follow the PCI standard’s requirements for network security.
SSH keys are often used for automated machine to machine security and SSH keys grant access with a password, Ylonen notes.  Boundaries for PCI networks define segments in which card storage or processing takes place — often called PCI network “scope” — and it must conform to PCI requirements as defined in the PCI Data Security Standard (DSS) published by the PCI Security Standards Council.

Ylonen says he is encouraging systems administrators — the individuals often responsible for setting up SSH key management for enterprise networks — to start discussions about the upcoming PCI DSS v.3 standard with those in their organization most involved in making sure there will be PCI compliance. These individuals might be chief security officers, CIOs or internal auditors, for example. From what he’s seen of the draft of the PCI v. 3 standard, Ylonen says, “the rules themselves are good but guidance is vague.”

SSH key mismanagement and how to solve it

TEST: Tectia 4.0 from SSH

Ylonen says any enterprise using SSH must be sure exactly how SSH has been deployed. In large organizations, use of SSH keys has sometimes not been managed sufficiently and has become sprawling, he acknowledges. Some large financial institutions, for example, have over 1.5 million authorized SSH keys but sometimes “80% to 90% are just forgotten,” he points out.  

Ylonen has embarked in recent weeks on a vigorous campaign to convince the PCI Data Security Standards Council to tweak the upcoming PCI v. 3 standard to clarify the machine-to-machine use of SSH and the PCI boundary “scope” question related to SSH.

Ylonen has come out strong on this in the last few weeks in a last-minute push, says Troy Leach, CTO at the council. 

Bob Russo, the council’s general manager, notes that Ylonen publicly discussed his concerns at the recent conference on PCI the council organized, and has also met privately with council members. The draft of the PCI v. 3 standard is still subject to change before its expected issuance on Nov. 7,  Russo pointed out. Russo says the council is still “tweaking” the draft PCI v. 3 standard before it is issued. More input is expected over the next weeks from businesses and vendors in Europe and Asia as well.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News