Compliance Corner: A Look at the Changes in PCI DSS 3.0
With 2015 underway, let’s take a look at some of the new requirements set by the Payment Card Industry (PCI) Security Standards Council in Data Security Standard (DSS) 3.0. While the update from 1.2.1 to 2.0 contained only two new requirements, the change from 2.0 to 3.0 has twenty. This standard officially went into effect January 1, 2014, but for vendors who were compliant with PCI DSS 2.0, their effective date was January 1, 2015, with some of the new requirements not effective until July 1, 2015. Here are three main areas of change to be aware of:
1. Penetration Testing – Req. 11.3 – 4
Requirement 11.3 requires that penetration testing, both internal and external, must now follow an industry-accepted penetration testing methodology, such as NIST SP800-115. This presents a challenge, since many organizations outsource penetration testing to third parties, requiring them to investigate their service providers’ methodologies. Many companies may find that long-standing relationships with their bargain basement service provider may no longer be on par with what the standard now requires. As is the case when dealing with any vendor, organizations must perform their due diligence when choosing who to do business with. Prior to contracting any work, the methodology for the penetration test must be agreed upon, validated, and documented in a statement of work/request for proposal in order to ensure compliance with this standard.
In addition, Requirement 11.4 specifies that if segmentation is used to isolate the cardholder data environment from other networks, penetration testing must be performed to verify that the segmentation methods are indeed operational and effective.
2. Vendor Relationship Management – Req. 12.8.5, 12.9
Requirement 12.8.5 mandates that organizations now document and maintain information about which PCI DSS requirements are managed by third parties, and which are managed in-house. This requirement is a companion to 12.8.4, which is not new, but requires that organizations verify service providers’ compliance status at least annually. While the new requirement is not inherently challenging, it is an extra level of documentation that should not be overlooked. Used in conjunction with 12.8.4, it can serve as an effective way to perform a high-level assessment to identify areas that may have compliance gaps. The main challenge an entity will face will be in having service providers agree to, and commit in writing, precisely where their responsibilities lie. Maintaining explicit and detailed contracts with service providers pertaining to these responsibilities is critical to successful implementation of this requirement.
Additionally, Requirement 12.9 applies to service providers, stating they must agree, in writing, that they are responsible for the cardholder data they possess, store, process, or transmit on behalf of the customer.
3. System Inventory – Req. 2.4
Another challenge organizations are now facing is contained in Requirement 2.4. This requirement states that organizations must maintain an inventory of system components that are in the scope of PCI DSS. System components include network devices, computing devices, and applications. This includes virtual components such as virtual machines, virtual switches/routers, etc. Included within this documentation should be a description mapped to each piece of hardware and software components detailing its function and usage. Depending on the size of the organization, keeping an accurate and up-to-date inventory can be a daunting task. Periodic and proactive review and maintenance of system inventories can alleviate some of the stress associated with this requirement, but it is critical that adequate resources be allocated for this task.
In conclusion, while some of these requirements are only best practices prior to July 1, 2015, it is in an organization’s best interest to take a proactive approach toward implementing the new requirements, since many are not easily completed within a short timeline. Compliance with these requirements is essential to running a secure and prosperous business in the years to come.