Sage Advice - Cybersecurity Blog

Five Facts Every Organization Should Know about PCI v3.0

creditcards-1The sheer volume of transactions makes the payment card channel an attractive target for cybercriminals. Between 2008 and 2012, $127 billion dollars’ worth of credit, debit, and prepaid card transactions were effected.

According to the Federal Trade Commission, the percentage of Americans who have been victims of credit card fraud is 10%, and 7% have been debit card fraud victims. While the median amount of fraud is $399, actual consumer liability is limited by federal law.  The balance of the loss is borne by the merchant, credit card processor, and issuing bank.

To counter the potential for staggering losses, payment card brands such as VISA, MasterCard, American Express, and Discover contractually require all organizations that store, process, or transmit cardholder data and/or sensitive authentication data to comply with the Payment Card Industry Data Security Standard commonly referred to as PCI. Simply put, by accepting credit or debit card payments, your organization has agreed to be PCI Compliant. The PCI framework includes stipulations regarding storage, transmission, and processing of payment card data, six core principles, twelve categories of required technical and operational security controls, testing requirements, and a certification process. Entities are required to validate their compliance. The number of transactions, the type of business, and the type of transactions determine specific validation requirements.

In November 2013, the PCI Security Standards Council published PCI DSS Version 3.0 (PCI v3.0). The new version introduces additional requirements, modifies some of the current standards, clarifies service provider responsibilities, and most importantly, adopts a risk based “business as usual” approach to information security. Version 3.0 is designed to accommodate the various environments
where cardholder data is processed, stored, or transmitted—such as e-commerce, mobile
acceptance, or cloud computing. Version 3.0 also recognizes that security is a shared responsibility and addresses the obligations of each business partner in the transaction chain.

Here are Five Facts every business should know about PCI DSS V3.0

Fact 1: The New Compliance Model Is “Business-As-Usual”

Version 3.0 emphasizes that compliance is not a point-in-time determination but rather an ongoing process. Business-as-usual is defined as the inclusion of PCI controls as part of an overall risk-based security strategy that is managed and monitored by the organization. According to the PCI Standards Council, a business-as-usual approach “enables an entity to monitor the effectiveness of security controls on an ongoing basis, and maintain its PCI DSS-compliant environment in between PCI DSS assessments.” This means that organizations must monitor required controls to ensure they are operating effectively, respond quickly to control failures, incorporate PCI compliance impact assessments into the change management process, and conduct periodic reviews to confirm that PCI requirements continue to be in place and that personnel are following secure processes.

This approach mirrors best practices and reflects the reality that the majority of significant card breaches have occurred at organizations that were either self-or independently certified as PCI compliant.

Fact 2: Isolating Cardholder Data Is Recommended

PCI requirements apply to the cardholder data environment. The cardholder data environment is defined as the people, processes, and technology that handle cardholder data or sensitive authentication data. Eliminating the collection and storage of unnecessary data, restricting cardholder data to as few locations as possible, and isolating the cardholder data environment from the rest of the corporate network are strongly recommended. Physically or logically segmenting the cardholder data environment reduces the PCI scope, which in turn reduces cost, complexity, and risk. Without segmentation, the entire network must be PCI compliant. This can be
burdensome, as the PCI-required controls may not be applicable to other parts of the network. A large scope can also be costly for organizations that are required to hire a Qualified Security Assessor (QSA).

Concurrent with this recommendation is the requirement to maintain a current diagram that shows cardholder data flows and an inventory of in-scope system components. Doing so ensures that your organization has properly identified the information and systems that must be protected.

Fact 3: You Can’t Outsource Compliance Obligations

An organization may use a third-party service provider to store, process, or transmit cardholder data on its behalf, or to manage components such as routers, firewalls, databases, physical security, and/or servers. Utilizing a third-party, however, does not relieve an organization of its PCI-compliance obligation. Unless the third-party service provider can demonstrate or provide evidence of PCI compliance, the service provider environment is considered to be an extension of the organization’s cardholder data environment, and is therefore in scope.

Service providers do, however, have the option of undergoing their own assessment and then providing evidence to their customers. Requirement 12.9 requires that “Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.”

If your organization is using service providers – be sure to choose ones that are PCI compliant and to require written evidence. Put the request for evidence on your annual calendar: requirement 12.9 requires organizations to monitor service provider PCI DSS status.

Fact 4: Focus on Malware Controls

Malware is a general term used to describe any kind of software or code specifically designed to exploit or disrupt a system or device, or the data it contains, without consent. Malware is one of the most vicious tools in the cybercriminal arsenal. PCI Requirement 5 has been updated to recognize this threat. The requirement includes:

  • Selecting an anti-virus/anti-malware solution commensurate with the level of protection required.
  • Selecting an anti-virus/anti-malware solution that has the capacity to perform periodic scans and generate audit logs.
  • Deploying the anti-virus/anti-malware solution on all applicable in-scope systems and devices.
  • Ensuring that anti-virus/anti-malware solutions are kept current.
  • Ensuring that anti-virus/anti-malware solutions cannot be disabled or modified without management authorization.
  • Publishing anti-malware security policies and related operational procedures.
  • Training for all personnel on the implications of malware, disruption of the distribution channel, and incident reporting.

In addition, there is an expectation is that organizations will stay abreast of malware trends and exploits as well as monitor for evidence of malware intrusions.

Fact 5: Daily Log Review Is Required

It is not unusual for a breach to go undetected for days, weeks, or even months. PCI Version 3 requires a daily analysis of security event logs in order to detect suspicious events, anomalous activities, or potential indicators of compromise. 10.6.1 requires a process for reviewing specific logs daily, and 10.6.3 requires investigation exceptions and anomalies identified during the log-review process.

PCI 3.0 requires that the following logs be reviewed on a daily basis:

  • Logs of all system components that store, process, or transmit cardholder data, or that could impact the security of cardholder data.
  • Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.) in the cardholder environment.

Logs must be retained for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup).

Organizations that are currently considered to be PCI compliant have until January 1, 2015, to move to the new standard, and some of the changes will not take effect until July of 2015. There are a number of new requirements that may take time to implement. Don’t wait. Become familiar with the new standards are soon as possible. For organizations new to the payment card channel, the new standards take effect January 1, 2014.

UPDATE: PCI DSS 3.2 was released on April 2016.  Learn what the new regulations call for in our post, Continuous PCI Compliance is Here.


Are Your Service Providers Cyber Secure?

Proper oversight of your third-party service providers is an essential element of your cyber resilience strategy. Tyler Cybersecurity’s Service Provider Cybersecurity Assessment Program supports the management of all your third-party service providers. Our specialized approach helps you create the most efficient review process - saving you time while ensuring compliance.

Learn More

Topics: Compliance, PCI

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

Cybersecurity Lifecycle

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More