The Green Sheet Online Edition
September 13, 2010 • Issue 10:09:01
PCI SSC summarizes changes to upcoming standards
In advance of the October 2010 release of the updated security standards that govern how merchants and payments businesses safeguard sensitive cardholder data, the PCI Security Standards Council (PCI SSC) disclosed a summary of changes it intends to make to the standards.
The council said that, while version 2.0 of the Payment Card Industry (PCI) Data Security Standard (DSS) and the Payment Application (PA) DSS do not introduce new requirements, they reflect changes concerning updates, clarifications and guidance. According to Bob Russo, General Manager of the PCI SSC, chief among the changes are:
- Reinforcing the need for merchants to conduct thorough "scoping" evaluations of their networks prior to security audits
- Adding a mandate for centralized logging to the PA DSS
- Allowing organizations greater flexibility when conducting risk assessments in order to prioritize security vulnerabilities
- Clarifying the language of the standards
When organizations prepare for PCI assessments, they determine what parts of their networks are "in scope" for the assessment process. But determining that scope is apparently not so cut and dried.
According to Russo, the council received a "ton of feedback" from participating organizations, as well as its own advisory board, that level 1, global merchants are "finding cardholder data in places in their networks where they had no idea it could ever be."
The updated PCI DSS gives guidance on what data loss prevention tools might be useful in locating forgotten or misplaced cardholder data in networks, Russo said. It is important to pinpoint all places where that data is stored before engaging qualified security assessors (QSAs) to perform assessments, he added.
James Paul, Senior Vice President, Delivery, at Trustwave, said it is problematic when QSAs find sensitive data that is "out of scope" of the assessment when they are conducting an assessment. "If you get the scope wrong, the assessment itself is somewhat invalid," he said.
Security experts have a term for this problem - "scope creep," Paul said. If a merchant forgot about a data center that contained cardholder data, "all of a sudden the QSA says we can't ignore that," he said.
"It's part of the environment. We have to go visit that site and potentially have to apply the sector requirements to systems in that site."
Centralized logging is already included in the PCI DSS. Russo said the addition of centralized logging to the PA DSS is important because it is more likely companies will monitor the "events" that occur on their systems if event details are recorded at one location. "If your staff has got to go look in more than one place, chances are they're not going to go look for it," he said.
Paul likened centralized logging to giving information technology professionals a dashboard view of what is occurring on networks.
For example, if a USB device is plugged into a POS terminal to download malware into that terminal, that event is registered in the log, he said. And if a compromise should occur, centralized logging gives investigation teams a "breadcrumb trail for them to follow to help them determine the nature of the breach and the extent of the breach," he added.
Greater risk profile flexibility
Russo said the council received strong feedback that organizations wanted more flexibility in how they assess their systems from a risk perspective. A business might recognize a security vulnerability exists, but the risk of it resulting in a data breach is so low that they want to be able to put that vulnerability aside for now and focus on making more important aspects of systems PCI compliant, he said.
Paul sees this change to the standard as recognition that merchants have different risk tolerance levels. But he is concerned about who defines a business' risk tolerance. "Right now it looks as though [merchants will] be able to define that risk," he said. "I'm concerned a little bit about a situation where I, as the QSA, may feel a risk as a higher priority than, say, a client does and how that gets resolved."
Russo said the PCI SSC also attempted to clarify certain language in the standards, for example, the exact meaning of masking and rendering the primary account number unreadable or how to ensure organizations use strong passwords. The council targeted language in the standards based on feedback from PCI participating organizations, Russo said.
"Certainly there are times when the language in the standard can be read one way by one person and another way by another person," Paul said. "By and large I think most of those have been addressed through questions to the council or through the SAQ [self assessment questionnaire] which is available on the council's website."
A global standard
In the feedback period the PCI SSC sets aside to give participating organizations a chance to communicate their thoughts and concerns about the standard, the council received 400 detailed responses, Russo said.
During that feedback phase, 54 percent of comments came from outside the United States. "Now we're getting global uptake," Russo said. "This is a global problem; we need to make sure that we're getting participation from every corner of the globe. And we are."
Version 2.0 of the PCI DSS and the PA DSS will be disclosed in September with a more in-depth summary of changes, giving participating organizations time to digest the updated standards before their release on Oct. 28.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.