Staying on Top of PCI Compliance

April 24, 2017
Compliance, Financial Services, Healthcare, IT Security, Retail

If your organization stores, processes, or transmits payment cardholder data and/or sensitive authentication data, you know attaining and maintaining compliance with the PCI Data Security Standard (PCI DSS) can be difficult. Keeping pace with the frequent updates from the PCI Security Standards Council makes it even tougher. Not staying on top of the changes, however, isn’t an option.

Companies of all sizes and across all industries continue to make the news because of data security breaches. The ever-changing, increasingly sophisticated nature of cyber threats is largely to blame. A lack of payment security awareness and poor implementation and maintenance of the security protocols play roles as well. Frequent updates to the PCI DSS are designed to help organizations and their service providers better understand, implement, and maintain the most up-to-date security best practices.   

Just over a year ago, the Council published its latest version of the data security standard — PCI DSS version 3.2. If you haven’t already checked out what’s included and the relevant dates, here are highlights.

  1. Extended Migration Date for SSL/Early TLS 
    Serious vulnerabilities in Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) drove the PCI Council to remove SSL as an example of strong encryption from the PCI DSS. Under PCI DSS 3.0, organizations had until the end of June 2016 to migrate to a secure version of TLS, causing a great deal of concern for those who depend on other entities that use SSL. That deadline has now been extended to June 30, 2018. To further help with the transition, PCI DSS 3.2 includes a migration appendix which includes action items and frequently asked questions.
  2. Display of Primary Account Numbers
    PCI DSS 3.2 updates the requirement for primary account number (PAN) masking to ensure that any display of PAN greater than the first six and/or last four digits requires a legitimate business need. This doesn’t override any of the stricter requirements already in place for displaying cardholder data such as legal or payment card brand requirements for point-of-sale (POS) receipts.
  3. Multi-factor Authentication
    Previously, multi-factor authentication was only required for remote access from untrusted networks. As of February 1, 2018, any personnel with administrative access into environments handling card data must authenticate with at least two separate forms of authentication, such as a password, a smart card or a fingerprint.
  4. Service Providers Controls
    Many organizations have been undermined by the weak controls employed by their third-party service providers. PCI DSS 3.2 attempts to remedy that with new service provider requirements, including:
    • A process for timely detection and reporting of failures of critical security control systems, such as firewalls, intrusion defense systems (IDS) and intrusion prevention systems (IPS), file integrity monitoring (FIM), anti-virus, physical access controls, logical access controls, audit logging mechanisms, and segmentation controls. Service providers must also respond in a timely manner to the failure of any critical security controls. Processes for responding to failures in security controls must include:
      • Restoring security functions.
      • Identifying and documenting the duration (date and time start to end) of the security failure.
      • Identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause.
      • Identifying and addressing any security issues that arose during the failure.
      • Performing a risk assessment to determine whether further actions are required because of the security failure.
      • Implementing controls to prevent cause of failure from reoccurring.
      • Resuming monitoring of security controls.
    • Penetration testing on segmentation controls, if segmentation is used, at least every six months and after any changes to segmentation controls/methods.
    • Establishment by service providers’ executive management of responsibilities for protecting cardholder data, along with a PCI DSS compliance program.
    • Reviews to be performed at least quarterly to confirm that personnel are following security policies and operational procedures, and maintaining documentation of the review process. The reviews must cover daily log reviews, firewall rule-set reviews, applying configuration standards new standards, responding to security alerts, and change management processes.

More Changes in Progress

Since launching PCI DSS 3.2, the Council has kept busy. It published a new version of its device security standard for Hardware Security Modules (HSMs), and a set of payment protection resources for small businesses. In December 2016, it released Guidance for PCI DSS Scoping and Network Segmentation to help businesses address the challenge of identifying where and how payment data is at risk in an organization’s system. Earlier in 2017, the Council updated its card production standard and extended it to include protections for mobile payments provisioning. Expect the changes, updates, and new resources to keep coming.

Partner for PCI Compliance

To stay on top of it all, you can always check the newsroom section of the official PCI web site. Better yet, partner with a third-party IT solutions provider that already has an in-depth understanding of the PCI DSS, stays current with its latest iterations, and knows how to implement the PCI-specific security controls into the IT services that are integral to your business. US Signal is one of those companies.

US Signal has made extensive investments in creating the PCI-compliant infrastructure that underlies its cloud and colocation solutions, as well as in developing the requisite compliance expertise. The company’s security specialists can also help you meet many of the requirements of other regulatory and industry standards such as HIPAA/HITECH.

To learn more, call 866.2. SIGNAL or email [email protected]