What the New PCI Requirements Mean for Your Company
February 1, 2018.
That was the day the new Payment Card Industry Data Security Standard (PCI DSS) requirements officially went into effect.
This is huge considering that the PCI DSS applies to all organisations that transmit or store cardholder data. In some cases, only service providers are impacted. In other cases, it’s both merchants and service providers.
With non-compliance fees ranging from $6,400 AUD on the low end to $640,475 AUD on the high end, you’ll want to ensure that your organisation is fully on board.
Here are the new requirements and the actions you need to take to be compliant.
Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable.
This simply means that your organisation must update your change management policy so that it enforces a significant change. As new security threats inevitably arise, you must alter your cybersecurity policies accordingly to mitigate your risks.
Some examples of changes include:
- Installing new system components
- Modifying a firewall
- Upgrading product and/or operating systems
- Adding new sub-networks
- Adding new web servers
Incorporate multi-factor authentication for all non-console access into the cardholder data environment (CDE) for personnel with administrative access.
Multi-factor authentication is a technique that only allows access after submitting two or more pieces of information, thus enabling you to keep a tighter grip on who can access your company’s data
This is important given that malicious insiders account for 60 percent of all cyber attacks. In fact, a data breach is more likely to result from someone you know and trust than some heinous cyber criminal that you hear about in movies.
The more steps involved in the authentication process, the less likely the chances of a data breach occurring. This requirement along with the PCI DSS requirement 8.3.2 creates an added layer of security for any malicious attack from the internal link.
Note that the PCI DSS mandates that multi-factor authentication be implemented either at the network level or system/application level. However, it doesn’t have to be both.
Maintain a documented description of the cryptographic architecture.
The term “cryptographic architecture” refers to the framework used to encrypt data and prevent it from being intercepted. This can include algorithm details, encryption protocols and the keys used to protect customer payment card data.
What service providers must do is create a document that includes details on all of these details.
The main reason for this requirement is that the PCI Security Standards Council found that some organisations were failing to use proper cryptographic solutions and processes, which was leaving sensitive cardholder information vulnerable.
Note that this requirement is only applicable for service providers storing cardholder data.
Implement a process for the timely detection and reporting of failures of critical security control systems.
This specifically addresses:
- Intrusion detection systems (IDS) and/or intrusion prevention systems (IPS)
- File integrity monitoring (FIM)
- Physical and logical access controls
- Audit logging mechanisms
It’s the responsibility of a service provider to develop or update an incident response policy so that A) they can swiftly detect issues and B) have a process in place to promptly resolve them. The quicker they react, the better the chances are of containing a threat and protecting cardholder data.
Respond to failures of any critical security controls in a timely manner.
This requirement mandates that you must have processes in place that are capable of responding to failures in the following security controls:
- Promptly restoring security functions
- Identifying and documenting the time in which the security failure occurred (when it began and when it ended)
- Finding the root cause of the issue and documenting the remedial action that was taken to address it
- Identifying the specific security issues that occurred along the way
- Performing a risk assessment so that you know if further actions are necessary
- Taking steps to ensure that the issue doesn’t happen again
- Resuming security control monitoring
The bottom line here is that your organisation’s incident response policy must be updated to include the procedures that will be taken should a critical security control fail. This way everyone within your organisation will know how to react and what their job is.
If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.
Penetration testing is an essential part of being proactive with cybersecurity and allows for the testing of web applications, mobile applications, your network and more. The point of it is to catch flaws and vulnerabilities and fix them before they can be exploited by cyber criminals.
While it’s a good idea to perform periodic pen testing anyway, this requirement mandates that service providers do it at least once every six months and after any significant changes. In other words, there is a specific frequency in which pen testing must be done.
Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program to include: overall accountability for maintaining PCI DSS compliance and defining a charter for a PCI DSS compliance program and communication to executive management.
In layman’s terms, responsibility for compliance falls in the hands of executive management. It’s also clear that a service provider isn’t to treat compliance as a one-off type of deal but as a process that’s woven into the very fabrics of their operations.
A compliance charter should be provided to serve as written evidence to show that protecting payment holder information is something that service providers take very seriously and that they’ll continuously work toward improving cybersecurity.
Perform reviews at least quarterly to confirm personnel is following security policies and operational procedures.
The PCI DSS clarifies that service must cover five specific policies/procedures:
- Daily log reviews (e.g. network activity)
- Firewall rule-set reviews
- Configuration standards to new systems
- Security alert response
- Change management processes
This one is pretty straightforward and is designed to ensure that service providers are doing their part to reduce the risk of a data breach. Performing reviews at least once every 90 days is important for ensuring continuity and that team members remain diligent in their efforts.
Maintain documentation of quarterly review process to include: documenting results of the reviews and review and sign-off of results by personnel assigned responsibility for the PCI DSS compliance program.
This piggybacks off of the previous requirement and simply states that service providers need to document their quarterly reviews and have company leaders such as executive managers vouch for it by giving their signature.
Keeping Your Company Compliant
As you can see, these new PCI requirements are extremely in-depth and exhaustive. So it’s easy to see how some organisations could struggle with meeting these requirements and maintaining compliance.
It can be quite arduous.
And though full-scale initiatives have been taken by companies all around the world, many still fail to hit the mark. In fact, a Verizon 2015 PCI Compliance Report found that a whopping 80 percent of companies fail to sustain the security measures they put into place.
Needless to say this isn’t good and is just asking for trouble. Failing to meet compliance standards can hurt your organisation in two ways.
First, you may incur a penalty from the PCI Security Standards Council, which as we mentioned earlier can be as high as $640,475 AUD. Second, your odds of encountering a data breach increase significantly. If you’re not taking the preventative steps necessary to thwart an attack, you run a far higher risk of falling prey.
With the average consolidated total cost of a data breach being $2.51 million AUD in 2017 and the average cost of a compromised record being $139 AUD, the financial backlash can be crippling.
One surefire way to meet PCI requirements and ensure compliance is to use PCI DSS compliance consulting services. This is where you get help from a third-party provider who understands the ins and outs of the process and works with you to secure cardholder data from a potential data breach.
They will help you fill in the initial gaps as well as provide you with ongoing services to keep up with future requirements.
If the whole concept of PCI DSS sounds confusing and overwhelming, this is definitely an option to consider.
A New Reality for Businesses
Like it not, data breaches are something that most organisations now contend with. Those in high-risk industries like healthcare and financial services are especially vulnerable.
The new PCI requirements are a way to regulate how organisations collect and store cardholder data to better protect consumers and minimise the chances of data breaches taking place. Placing the focus on the service providers helps improve overall detection and enforces response controls with the goal of reducing risk to cardholder data on behalf of their customers.
Although these requirements are by no means convenient, it’s something you need to get used to. As the threat of data breaches continues to grow and the sophistication level of cyber criminals increases, PCI requirements will evolve as well.
So whether you’re a small business with only a handful of employees or a global corporation with thousands, you need to do everything possible to achieve and maintain compliance. It’s that simple.
What do you feel are the biggest challenges you face in keeping your organisation compliant with PCI requirements? Please let us know: