New Payment Security Rules To Hit Channel Heading Into 2014

Service providers who work with merchants to maintain and secure their payment systems will have to provide stronger authentication measures and fully meet the requirements maintained by the payment industry, according to version 3.0 of the Payment Card Industry Data Security Standards.

The standard, unveiled by the PCI Security Standards Council Thursday, prescribes a minimal level of security that merchants must meet to protect cardholder data and is enforced by the individual card brands. In addition to stronger authentication measures, it calls for thorough penetration testing to ensure payment systems are properly segmented and isolated from other systems on the corporate network.

Version 3.0 of PCI DSS takes effect Jan. 1, but merchants have until June 1, 2015, to meet all of the requirements in the revised standard. The goal of the document is to get merchants to think about protecting their payment environments throughout the year, rather than when an annual assessment is due, said Bob Russo, general manager of the PCI SSC. It includes recommended best practices and has clarifications to make validation against all the requirements clearer for assessors, Russo said.

[Related: PCI Security Standards Council Takes On Credit Card Security Threat ]

"Everything we see from the breach reports we're getting leads us to believe that what we're doing with PCI is the right approach," Russo said. "Our message is to make sure that security becomes business as usual for merchants, and if we can get them to focus on that, we're going to see a huge improvement ahead of where we're at right now."

PCI DSS helps educate small and midsize business in the security controls that are needed to protect sensitive data, said Jon Sargent, director of technology architecture at Virginia Beach, Va.-based solution provider Endurance IT Services. Businesses turn to the channel for ways to solve data security, and many of their budgets are allocated based on meeting compliance mandates, Sargent said. Smaller firms need more of a helping hand, he said.

"A lot of small businesses are or should be complying with the standard but they may not be aware of the need for compliance," Sargent told CRN. "Many small businesses are not in compliance and do not understand where their responsibility lies."

PCI DSS is the credit card industry's response to a litany of data security breaches, driven by financially motivated cybercriminals out to steal account credentials, personally identifiable information and credit card data.

Version 3.0 of PCI DSS also changes the layout of the document in an effort to make it easier to track security controls throughout all 12 core requirements. The 12 requirements outline physical access measures, firewall configuration, authentication and access control, encryption, antivirus, application security, system monitoring, logging, and policy setting and enforcement.

NEXT: New Service Provider Requirements, Pen Testing Measures

The standard now requires an annual risk assessment upon significant changes to a cardholder's data environment, said Pat Harbauer, a senior security consultant and PCI expert for Neohapsis, a Chicago-based mobile and cloud security services provider. Organizations also must provide a penetration testing methodology, outlining how an assessment was undertaken. Organizations shouldn't be relying on an automated vulnerability scan to fulfill a pen testing requirement, Harbauer said.

"There still seems to be a lot of confusion around the difference between a vulnerability scan and a pen test," Harbauer told CRN. "There's a manual component to a pen test, and it should be a part of every organization's change management plan."

The standard now clearly delineates that service providers need separate authentication credentials for remote access to clients. The wording was added to the document following several breaches that stemmed from an attack against a third-party service provider that used the same password for remote access to its clients. The attacker gained access to the password, giving them carte blanche to hundreds of customers and, ultimately, an easy way to steal hundreds of thousands of credit cards. The issue highlights the problem of poor password management and is a violation of a basic security safeguards that all businesses should follow, said Troy Leach, chief technology officer of the PCI SSC.

"Security is a shared responsibility not only within your own company but with the partners that you are working with," Leach told CRN. "Our intent with this latest version is to make sure that these merchants are well aware of the fact that just because they outsource this stuff, their responsibility doesn't end."

In addition, the updated document indicates that point-of-sale systems are now within the scope of assessment. A qualified security assessor must ensure the devices are tamper proof and that the data they pull in is properly encrypted. Employees must receive security awareness training, and the systems must be periodically inspected for tampering. The standard also addresses the handling of primary account number and sensitive authentication data in system memory. Processes need to be in place to effectively clear system memory.

In the past, point-of-sale terminal security was implied, said Rodolphe Simonetti, managing director of payment card industry services at Verizon. Simonetti said the PCI council has given merchants a lengthy period of time within which to voice their opinion about the changes. The timeline before merchants must fully meet the requirements also takes into account how long it takes to implement system changes, he said.

"They understand it is not possible to change an IT environment in a couple of weeks or months, so the roll out of this is aligned with reality," Simonetti told CRN.

PUBLISHED NOV. 7, 2013