A Thing
The Green SheetGreen Sheet

Tuesday, May 3, 2016

PCI road map to bypass SSL

The PCI Security Standards Council (PCI SSC) released an updated security standard on April 28, 2016, designed to protect merchants and consumers from increasing attacks against payments infrastructures. Merchants will have six months to comply with new guidelines, which may require up to two years to fully implement, security analysts have said.

The Payment Card Industry (PCI) Data Security Standard (DSS) Version 3.2, which becomes effective Oct. 31, 2016, was based on council member feedback and data breach trend analysis. The new standard has performed well in preliminary testing. "PCI DSS 3.2 includes a number of updates to help these entities demonstrate that good security practices are active and effective," said PCI SSC Chief Technology Officer Troy Leach.

Platform changes, enhancements

PCI DSS 3.2 mandates multifactor authentication for anyone with access to payment card data. This requirement previously applied only to remote access from unknown or untrusted networks.

Primary changes include "new requirements for administrators and services providers and the cardholder data environments they are responsible to protect," PCI SSC General Manager Stephen Orfei stated. "PCI DSS 3.2 advocates that organizations focus on people, process and policy, with technology playing an important role in reducing the overall cardholder data footprint."

Additional changes in PCI DSS 3.2 include:

  • Revised Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) sunset dates as outlined in the Bulletin on Migrating from SSL and Early TLS, a PCI SSC resource guide.

  • Expansion of requirement 8.3 to include use of multifactor authentication for administrators accessing the cardholder data environment

  • Additional security validation steps for service providers and others, including "designated entities supplemental validation criteria," which previously were contained in a separate document of that name.

Multifactor road map

Security analysts have raised concerns about complexities related to migrating from customary, embedded platforms to more secure authentication methods. Michael Petitti, Senior Vice President of Global Alliances at Trustwave, suggested full implementation could take up to two years. This is largely due to the need to migrate from SSL and early Transport Layer Security (TLS), which were widely used and undisputed until inherent vulnerabilities were exposed, he said.

"The PCI SSC is mindful of the substantial scale of changes that are taking place, especially with regard to new technologies such as the use of chip cards in the U.S. and other technologies that are part of the transaction supply chain, such as mobile," Petitti said. "By communicating the new standard well in advance of migration deadlines, the PCI SSC is providing a window to enable all the transaction stakeholders, acquirers, ISOs, PSPs and merchants, to best determine how to prioritize their future security investments."

Requiring two-factor authentication for administrators within the cardholder data environment is a significant change to the standard and "a nod to internal threats," Petitti added. "As merchants migrate to PCI DSS version 3.2, they should consult with their acquirer/ISO and their PCI DSS security provider to ensure that the migration does not create any security risks, which is unlikely if handled properly," he said.

People, process, policy

Steven Grossman, Vice President of Program Management at Bay Dynamics, a cybersecurity firm, sees potential gridlock ahead on the PCI compliance road map. "For large organizations that have legacy systems combined with legacy companies, adhering is a huge effort, because there are so many moving parts," he said. "What frequently happens is the effort to become compliant becomes the driving force, taking precedence over protecting data."

If companies spent more time and energy protecting data, compliance would take care of itself, Grossman stated. "Compliance is simply a set of guidelines and not a guarantee against data breaches; Target, despite being compliant was quite exposed," he said. "We see a lot in our travels around PCI reporting and PCI audits but that's backward, equivalent to a CFO deciding to pay suppliers once a quarter."

Grossman and other analysts view the new standard as a logical outgrowth of existing best practices. They emphasize that many companies already have multifactor authentication, encryption, penetration testing and reporting in place. PCI DSS version 3.2 takes things a bit further, and large conglomerates, in particular, may require more than six months to update their infrastructures.

"Large companies typically perform tens of thousands of scans across their entire organizations," Grossman said. "Automated tracking of vulnerabilities in a live mode every day should be integral to any company's security policy, particularly when studies show a high percentage of vulnerabilities have been known [to their victims] for more than a year," he said. "Continued compliance is a more effective approach to security than a quarterly or annual fire drill."

For a copy of PCI DSS version 3.2, including a summary of the changes it includes, please visit www.pcisecuritystandards.org/document_library. end of article

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing