Thursday, August 19, 2010
The council said that, while version 2.0 of the Payment Card Industry (PCI) Data Security Standard (DSS) and the Payment Application (PA) DSS do not introduce new requirements, they reflect changes concerning updates, clarifications and guidance. According to Bob Russo, General Manager of the PCI SSC, chief among the changes are:
When organizations prepare for PCI assessments, they determine what parts of their networks are "in scope" for the assessment process. But determining that scope is apparently not so cut and dried.
According to Bob Russo, the PCI SSC received a "ton of feedback" from participating organizations, as well as its own advisory board, that level 1, global merchants are "finding cardholder data in places in their networks where they had no idea it could ever be."
The updated PCI DSS gives guidance on what data loss prevention tools might be useful in tracking down where forgotten or misplaced cardholder data is sitting in networks, Russo said. It is important to locate all places where that data is stored before organizations engage qualified security assessors (QSAs) to perform assessments, he added.
James Paul, Senior Vice President, Delivery, at Trustwave, said it is problematic when QSAs find sensitive data that is "out of scope" of the assessment when they are in the middle of conducting an assessment. "If you get the scope wrong, the assessment itself is somewhat invalid," he said.
Security experts have a term for this problem – "scope creep," Paul said. If a merchant forgot about a data center that contained cardholder data, "all of a sudden the QSA says we can't ignore that," he said. "It's part of the environment. We have to go visit that site and potentially have to apply the sector requirements to systems in that site."
Centralized logging is already included in the PCI DSS. Russo said the addition of centralized logging to the PA DSS is important because it is more likely companies will monitor the "events" that occur on their systems if the details of such events are recorded at one location. "If your staff has got to go look in more than one place, chances are they're not going to go look for it," he said.
Paul likened centralized logging to giving information technology professionals a dashboard view of what is occurring on networks. For example, if a USB device is plugged into a POS terminal in order to download malware into that terminal, that event is registered in the log, he said. "Or maybe it's not even a malicious act, but I want to know if anything happened on that system," he added.
And if a compromise should occur, centralized logging gives investigation teams a "breadcrumb trail for them to follow to help them determine the nature of the breach and the extent of the breach," Paul said.
Russo said the council received strong feedback that organizations wanted more flexibility in how they assessed their systems from a risk perspective. A business might recognize a security vulnerability exists, but the risk of that vulnerability resulting in a data breach is so low that they want to be able to put that vulnerability aside for now and focus on making more important aspects of systems PCI compliant, he said.
Paul sees this change to the standard as recognition that merchants have different risk tolerance levels. But he is concerned about who defines a particular business' risk tolerance – the QSA or the business itself. "Right now it looks as though [merchants will] be able to define that risk," he said. "I'm concerned a little bit about a situation where I, as the QSA, may feel a risk as a higher priority than, say, a client does and how that gets resolved."
Russo said the PCI SSC also attempted to make more specific some of the language in the standards, for example, the exact meaning of masking and rendering the primary account number unreadable or how to ensure organizations use strong passwords. The council targeted language in the standards based on feedback it received from PCI participating organizations, Russo said.
"Certainly there are times when the language in the standard can be read one way by one person and another way by another person," Paul said. "By and large I think most of those have been addressed through questions to the council or through the SAQ [self assessment questionnaire] which is available on the council's website."
In the formalized feedback period the PCI SSC sets aside to give participating organizations a chance to communicate their thoughts and concerns about the standard, the council received 400 detailed responses, Russo said. The council based the changes it made to the standards on that feedback, as well as the day-to-day communications with businesses.
During that feedback phase, 54 percent of the feedback came from outside the United States, Russo said, a statistic that proves the standard is a global one, Russo said. "Now we're getting global uptake," he said. "This is a global problem; we need to make sure that we're getting participation from every corner of the globe. And we are."
Version 2.0 of the PCI DSS and the PA DSS will be disclosed in September with a more in-depth summary of changes. Participating organizations will then have time to digest the updated standards for when the actual release of the standards occurs on Oct. 28.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
