The PCI Security Standards Council released a new set of requirements in November 2013. According to the Council, the changes were designed to “help organizations make payment security part of their business-as-usual activities by introducing more flexibility, and an increased focus on education, awareness and security as a shared responsibility.” We at Hostway and SilverSky thought it would be helpful to deep-dive into specifics of the new requirements and discuss what they mean to our customers in the retail industry. Here are the new PCI 3.0 requirements – along with guidance about what each requirement means to you:
New PCI Requirement
5.1.2 – Evaluate evolving malware threats for any systems not considered to be commonly affected
SilverSky Guidance
Certain systems (mainframes, mid-range computers, etc.) were not traditionally affected by malware. However, these systems could potentially be at risk due to evolving malware threats, and you need to perform periodic evaluations in case these systems require protection in the future.
This is unlikely to apply to the average small to mid-size retailer. However, when discussing PCI solutions with Hostway and SilverSky, our experts can help you determine if you have any systems that may be at risk and provide guidance on how to address these risks.
New PCI Requirement
8.2.3 – Combined minimum password complexity and strength requirements into one, and increased flexibility for alternatives
SilverSky Guidance
For this requirement, the customer bears the responsibility for setting and enforcing sufficient password policies for their employees. Make sure to require a minimum length of seven characters and include both numeric and alphabetic characters in order to meet minimum requirements.
SilverSky’s E-Security Training course helps promote employee security awareness, including the importance of sufficient passwords. Our web-based course can help you reduce security risk and meet compliance requirements at a much lower price than alternative options.
New PCI Requirement
8.5.1 – For service providers with remote access to customer premises, use unique authentication credentials for each customer
SilverSky Guidance
This requirement was added to the PCI code in response to a data breach incident in which a vendor used one password for all customers. With just this one password, a hacker was able to compromise multiple accounts.
This requirement applies to any service provider with remote access to your on-premise systems (for example, POS companies that have access for support purposes). These third-party service providers are responsible for meeting this requirement, but you should make sure that they are complying with the rule – after all, it’s still your data and reputation at risk.
New PCI Requirement
8.6 – Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.), these must be linked to an individual account and ensure only the intended user can gain access
SilverSky Guidance
Linking authentication mechanisms to individual accounts prevents them from being used by multiple people. This reduces the risk that an unauthorized individual can gain access to critical data via the authentication mechanisms.
Hostway’s partner, SilverSky, provides authentication mechanisms to our PCI Complete customers via Managed VPN and multi-factor authentication. However, it is up to you to ensure that these are assigned to one person only and not shared.
New PCI Requirement
9.3 – Control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination
SilverSky Guidance
Restrictions on physical access to data are required to limit the chances of unauthorized personnel obtaining sensitive data. This includes monitoring the access levels of authorized personnel as well.
All Hostway’s data centers have physical security safeguards, including controls on facility entry, login access restrictions, CCTV monitoring capabilities, and limits on who can access internal systems and administrative functions.
New PCI Requirement
9.9 – Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution
SilverSky Guidance
Criminals often attempt to steal cardholder data by stealing or manipulating card-reading devices and terminals (aka “skimming”). Because these are physical devices on customer premises, it is the customer’s responsibility to secure them. In order to prevent skimming and ensure compliance, customers should consult this document on skimming prevention provided by the PCI Council.
New PCI Requirement
11.3 and 11.3.4 – Implement a methodology for penetration testing; if segmentation is used to isolate the cardholder data environment from other networks, perform penetration tests to verify that the segmentation methods are operational and effective
SilverSky Guidance
According to the PCI Council, these rules were implemented in response to “requests for more details for penetration tests, and for more stringent scoping verification.”
SilverSky provides internal and external vulnerability scans and file integrity monitoring as part of our PCI Complete solution to cover requirement 11.3. In addition, we can provide penetration testing through our Professional Services team to verify that your segmentation methods are operational and effective.
New PCI Requirement
11.5.1 – Implement a process to respond to any alerts generated by the change-detection mechanism
SilverSky Guidance
File Integrity Monitoring (FIM) solution (included with PCI Complete) detects unauthorized changes to your critical resources and immediately notifies you of suspicious activity. You are responsible for implementing a process to respond to our alerts, but we will prove guidance on how to remedy any security issues that we detect.
New PCI Requirement
12.8.5 – Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity
SilverSky Guidance
To meet this requirement, you will need to create documentation to show which PCI requirements are covered by your company, which are covered by SilverSky, and which are covered by other service providers. SilverSky provides you with documentation detailing which PCI requirements we cover to make this process easier.
New PCI Requirement
12.9 – Service providers that store, process, or transmit sensitive data on behalf of the customer must acknowledge their accountability for securing the data in writing to the customer
SilverSky Guidance
SilverSky provides written acknowledgment of our responsibilities to all of our customers. Customers will also need to make sure that they receive similar written acknowledgement from all service providers that handle sensitive data on your behalf.
Did you know:
- Hostway, in conjunction with SilverSky, offers an award-winning Managed Security package (“PCI Complete”) that is tailored specifically to the security and compliance needs of retail organizations?
- Penetration tests (a PCI requirement) are also offered through SilverSky’s Professional Services group?
To learn more about how Hostway and SilverSky can help your organization improve IT security, reduce costs and complexity, and meet PCI compliance, please visit https://www.hostway.com/managed-security/compliance/pci-dss-compliance.html.