On October 31, 2016, PCI DSS v3.1 will be retired and the requirements of PCI DSS v3.2, released in April, will take effect as the new payment data security “best practices” applicable to the merchants, financial institutions, and vendors accepting major credit cards, including American Express, MasterCard, and Visa. The amendments are designed to improve payment card security and prevent payment data breaches.
To help ease the transition, the PCI Security Standards Council will allow the industry participants a grace period until January 31, 2018 to implement these amendments. Beginning on February 1, 2018, the amendments will graduate from “best practices” into full-fledged requirements. The changes encompass clarification of the existing security requirements, additional guidance on several topics, and evolving requirements for addressing emerging data security threats.
PCI Data Security Standard consists of twelve requirements aimed at the following six goals:
- Build and Maintain a Secure Network and Systems
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measure
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
The majority of the amendments are in the nature of “additional guidance” or “clarification” and are helpful in addressing some of the uncertainties for how to implement certain existing requirements into practice. The industry participants should pay particular attention to the “evolving requirements,” which signal substantive changes. The highlights of the “evolving requirements” include:
- Requirement 3 (Protect stored cardholder data).
- Requirement 3.3: Mask the Permanent Account Number (PAN) when displayed so that the first six and last four digits of the PAN are the maximum number of digits displayed. Only personnel with a legitimate business need should be allowed to see the full PAN.
- Requirement 3.5.1: New requirement for service providers only: Maintain a documented description of the cryptographic architecture that includes: (1) Details of all algorithms, protocols and keys used for the protection of cardholder data, including key strength and expiry date; (2) Description of the key usage for each key; and (3) Inventory of any HSMs (host security modules) and other SCDs (secure cryptographic devices) used for key management.
- Requirement 6.4.6 (Develop and maintain secure systems and applications). Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable.
- Requirement 8 (Identify and authenticate access to system components).
- Requirement 8.3: Use multi-factor authentication for all personnel with non-console administrative access and all personnel with remote access to the CDE (cardholder data environment).
- Requirement 8.3.1: Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.
- Requirement 8.3.2: Incorporate multi-factor authentication for all remote network access originating from outside the entity’s network.
- Requirement 10 (Track and monitor all access to network resources and cardholder data).
- Requirement 10.8: New requirement for service providers only: Implement a process for the timely detection and reporting of failures of critical security control systems, including but not limited to failure to firewalls, IDS/IPS, FIM, anti-virus, physical access controls, logical access controls, audit logging mechanisms, segmentation controls.
- Requirement 10.8.1: New requirement for service providers only: Respond to failures of any critical security controls in a timely manner. Processes for responding to failures in security controls must include restoring security functions, identifying and documenting the duration of the security failure, its causes, and any security issues that arose during the failure, performing a risk assessment to determine whether further remedial actions are required, implementing controls to prevent reoccurrence, and resuming monitoring of security controls.
- Requirement 126.96.36.199 (Regularly test security systems and processes). New requirement for service providers only: If segmentation is used, perform penetration testing on segmentation controls at least every 6 months and after any changes to segmentation controls/methods.
- Requirement 12 (Maintain a policy that addresses information security for all personnel).
- Requirement 12.4: New requirement for service providers only: Executive management to ensure that the security policy and procedures clearly establish responsibilities for the protection of cardholder data and a PCI DSS compliance program for all personnel.
- Requirement 12.11: New requirement for service providers only: Perform reviews at least quarterly to confirm personnel are following security policies and operation procedures. Reviews must cover the following processes: daily log reviews, firewall rule-set reviews, applying configuration standards to new systems, responding to security alerts, and change management processes.
- Requirement 12.11.1: New requirement for service providers only: Maintain documentation of quarterly review process to include: documenting results of the reviews and review and sign-off of results by personnel assigned responsibility for the PCI DSS compliance program.
Enforcement of compliance with the PCI DSS and determination of any noncompliance penalties are carried out by the individual payment brands. The payments brands may fine an acquiring bank between $5,000 to $100,000 per month for noncompliance, which would likely be passed down to the merchant. Furthermore, the acquiring bank may choose to terminate the relationship with the merchant whose noncompliance resulted in the monetary penalty or increase transaction fees. While the penalties are not widely publicized, they can be disastrous for small and medium businesses. For larger businesses, detected noncompliance may also lead to negative publicity and the loss of reputation and customers.
Many businesses have been hard at work since the release of PCI DSS v3.2 in April to ensure that they address the amended requirements. This effort will continue through the grace period until February 1, 2018, when all payment data processes will be expected to be in full compliance with the new requirements. PCI DSS v3.2 and its supporting documents, reporting templates and forms, as well as Frequently Asked Questions are available here. Additionally, the payment brands comprising the PCI Security Standards Council, including Visa, MasterCard, provide a variety of PCI DSS compliance resources and help on their websites.
Companies embarking on data security self-assessments or security incident investigations should consider involving a legal team with expertise in data privacy and cybersecurity. Doing so may provide unique benefits that would not be available when the work is carried out by a cybersecurity vendor alone. These benefits include a more streamlined process with attorneys acting as liaisons between the company and the vendor and focusing the investigation on what matters to ensure compliance, as well as possible attorney-client privilege and work product doctrine protections for the findings, conclusions, and recommendations reached as a result of the self-assessment or investigation.