PCI DSS version 3.0 : January 2015 Deadline Looms

PCI DSS 3.0 deadline

Merchants who submit annual SAQ’s can continue to validate compliance with 2.0 SAQs until January 1, 2015. If merchants annual validation occurs in December,they’re not mandated to validate with version 3.0 until December 2015.

Are you ready?  Every merchant is impacted by the update, which are considerable. The PCI DSS Quick Reference Guide is 40 pages so there will be no attempt to duplicate it here. Here’s some issues merchants mostly likely need to address:

  1. Maintain an inventory of system components that are in scope for PCI DSS and also further, protect devices from tampering. Merchants have to identify all software, hardware, networks, what it’s used for, why it’s needed. This is a difficult task for larger retail operations where equipment is regularly moved and replaced. To comply, there must be a plan to regularly inspect equipment with serial number verification.
  2. Ensure that related security policies and operational procedures are documented, in use, and known to all affected parties. Even if in place, rarely is the case where every employee is fully informed. Adding a component to HR employee reviews is the simplest way to initiate a system.
  3. Render PAN unreadable anywhere it is stored- the card number must be unreadable per 3.4.
  4. The CAV2/CVC2/CVV2/CID can never ever be stored. OK, this one is old, but it’s still abused so it’s being repeated again. It’s NOT OK to store if ‘for a while’.
  5. Control physical access for on-site personnel; access authorized and based on individual job function and revoked immediately upon termination.The vast majority of companies have little control over employee access by job function. Their equipment or software simply has too many limitations. Merchants need to micro manage what employees can do, and document each employees interaction ( who processed what transaction etc.)
Goals of the PCI Data Security Standard
  • Build and maintain a secure network
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Maintain an information security policy
PCI: IS AN ongoing 3-step process
  • Assess – identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities.
  • Remediate – fixing vulnerabilities and not storing cardholder data unless you need it.
  • Report – compiling and submitting required reports to the acquiring bank and card brands you do business with.

PCI SECURITY STANDARDS COUNCIL RELEASES PCI DSS CLOUD COMPUTING GUIDELINES

PCI Special Interest Group offers guidance for securing payment card data in cloud environments —

WAKEFIELD, Mass., February 07, 2013 — Today the PCI Security Standards Council (PCI SSC), an open, global forum for the development of payment card security standards published the PCI DSS Cloud Computing Guidelines Information Supplement, a product of the Cloud Special Interest Group (SIG). Businesses deploying cloud technology can use this resource as a guide for choosing solutions and third-party cloud providers that will help them secure their customer payment data and support PCI DSS compliance.

PCI Special Interest Groups (SIGs) are community-driven initiatives that provide additional guidance and clarifications or improvements to the PCI Standards and supporting programs.
PCI Participating Organizations selected cloud computing as a key area to address via the SIG process. More than 100 global organizations representing banks, merchants, security assessors and technology vendors collaborated on this guidance designed to help companies identify and address the security challenges for different cloud architectures and models, and understand their PCI DSS responsibilities when implementing these solutions.

“One of cloud computing’s biggest strengths is its shared-responsibility model. However, this shared model can magnify the difficulties of architecting a secure computing environment,” said Chris Brenton, a PCI Cloud SIG contributor and director of security for CloudPassage. “One of this supplement’s greatest achievements is that it clearly defines the security responsibilities of the cloud provider and the cloud customer. With PCI DSS as the foundation, this guidance provides an excellent roadmap to crafting a secure posture in both private and public cloud.” The PCI DSS Cloud Computing Guidelines Information Supplement builds on the work of the 2011 Virtualization SIG, while leveraging other industry standards to provide guidance around the following primary areas and objectives:

  • Cloud Overview – provides explanation of common deployment and service models for cloud environments, including how implementations may vary within the different types.
  • Cloud Provider/Cloud Customer Relationships– outlines different roles and responsibilities across the different cloud models and guidance on how to determine and document these responsibilities.
  • PCI DSS Considerations – provides guidance and examples to help determine responsibilities for individual PCI DSS requirements, and includes segmentation and scoping considerations.
  • PCI DSS Compliance Challenges- describes some of the challenges associated with validating PCI DSS compliance in a cloud environment.
  • Additional Security Considerations – explores a number of business and technical security considerations for the use of cloud technologies.

The document also includes a number of appendices to address specific PCI DSS requirements and implementation scenarios, including: additional considerations to help determine PCI DSS responsibilities across different cloud service models; sample system inventory for cloud computing environments; sample matrix for documenting how PCI DSS responsibilities are assigned between cloud provider and client; and a starting set of questions that can help in determining how PCI DSS requirements can be met in a particular cloud environment.
The information supplement can be downloaded from the documents library on the PCI SSC website athttps://www.pcisecuritystandards.org/security_standards/documents.php. Download cloud computing guidelines document here.
Merchants who use or are considering use of cloud technologies in their cardholder data environment and any third-party service providers that provide cloud services or cloud products for merchants can benefit from this guidance. This document may also be of value for assessors reviewing cloud environments as part of a PCI DSS assessment.

As with all PCI Council information supplements, the guidance provided in this document is supplemental and does not supersede or replace any PCI DSS requirements.
“At the Council, we always talk about payment security as a shared responsibility. And cloud is by nature shared, which means that it’s increasingly important for all parties involved to understand their responsibility when it comes to protecting this data,” said Bob Russo, general manager, PCI Security Standards Council. “It’s great to see this guidance come to fruition, and we’re excited to get it into the hands of merchants and other organizations looking to take advantage of cloud technology in a secure manner.”

Those interested in learning more about this guidance and how to use it are invited to join the PCI Council for a webinar on February 7 and 14, 2013. Visit the PCI SSC website for more information and to register: https://www.pcisecuritystandards.org/training/webinars.php.

About the PCI Security Standards Council
The PCI Security Standards Council is an open global forum that is responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security. Founded in 2006 by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., the Council has over 600 Participating Organizations representing merchants, banks, processors and vendors worldwide. To learn more about playing a part in securing payment card data globally, please visit: pcisecuritystandards.org.
Connect with the PCI Council on LinkedIn: http://www.linkedin.com/company/pci-security- standards-council Join the conversation on Twitter: http://twitter.com/#!/PCISSC

PCI SECURITY STANDARDS COUNCIL RELEASES PCI DSS E-COMMERCE SECURITY GUIDELINES

— PCI Special Interest Group offers guidance to merchants to help secure payments accepted over the Internet—

WAKEFIELD, Mass., January 31, 2013 — Today the PCI Security Standards Council (PCI SSC), an open, global forum for the development of payment card security standards published the PCI DSS E-commerce Guidelines Information Supplement, a product of the E-commerce Security Special Interest Group (SIG). Businesses selling goods and services over the Internet can use this resource as a guide for choosing e-commerce technologies and third-party service providers that will help them secure customer payment data and support PCI DSS compliance efforts.
PCI Special Interest Groups (SIGs) are community-driven initiatives that provide additional guidance and clarifications or improvements to the PCI Standards and supporting programs.
In 2012, PCI Participating Organizations selected e-commerce security as a key area to address via the SIG process. More than 60 global organizations representing banks, merchants, security assessors and technology vendors collaborated to produce guidance that will help organizations better understand their responsibilities when it comes to PCI DSS; the risks they need to evaluate when considering ecommerce solutions; and how to determine their PCI DSS scope.
“Take SQL injections as an example. This is not a new attack, and something we’ve known about in the industry for years. Yet it continues to be one of the most common methods by which e-commerce websites are compromised, said Bob Russo, general manager, PCI Security Standards Council. “This can be addressed through simple, prudent coding practices, but merchants often don’t know where to start. These guidelines will help them better understand their responsibilities and the kinds of questions they need to ask of their service providers. In the case of SQL injections, one of the most important items to request of an e-commerce service provider is a description of the security controls and methods it has in place to protect websites against these vulnerabilities.”
The PCI DSS E-commerce Guidelines Information Supplement provides an introduction to e- commerce security and guidance around the following primary areas and objectives:

  •  E-commerce Overview – provides merchants and third parties with explanation of typical e-commerce components and common implementations and outlines high-level PCI DSS scoping guidance to be considered for each.
  • Common Vulnerabilities in E-commerce Environments – educates merchants on vulnerabilities often found in web applications (such as e-commerce shopping carts) so they can emphasize security when developing or choosing e-commerce software and services.
  • Recommendations – provides merchants with best practices to secure their e- commerce environments, as well as list of recommended industry and PCI SSC resources to leverage in e-commerce security efforts.

The document also includes two appendices to address specific PCI DSS requirements and implementation scenarios:

  •  PCI DSS Guidance for E-commerce Environments – provides high-level e-commerce guidance that corresponds to the main categories of PCI DSS requirements; includes chart to help organizations identify and document which PCI DSS responsibilities are those of the merchant and which are the responsibility of any e-commerce payment processor.
  • Merchant and Third-Party PCI DSS Responsibilities – for outsourced or “hybrid” e- commerce environments, includes sample checklist that merchants can use to identify which party is responsible for compliance and specify the details on the evidence of compliance.

The information supplement can be downloaded from the documents library on the PCI SSC website at https://www.pcisecuritystandards.org/security_standards/documents.php.
Merchants who use or are considering use of e-commerce technologies in their cardholder data environment, and any third-party service providers that provide e-commerce services, e- commerce products, or hosting/cloud services for merchants can benefit from this guidance. This document may also be of value for assessors reviewing e-commerce environments as part of a PCI DSS assessment.
As with all PCI Council information supplements, the guidance provided in this document is supplemental and does not supersede or replace any PCI DSS requirements.
“E-commerce continues to be a target for attacks on card data, especially with EMV technology helping drive so much of the face-to-face fraud down in Europe and other parts of the world, said Jeremy King, European director, PCI Security Standards Council. “We are pleased with this guidance that will help merchants and others better understand how to secure this critical environment using the PCI Standards.”
Those interested in learning more about this guidance and how to use it are invited to join the PCI Council for a webinar on February 7 and 14, 2013. Visit the PCI SSC website for more information and to register: https://www.pcisecuritystandards.org/training/webinars.php.
About the PCI Security Standards Council
The PCI Security Standards Council is an open global forum that is responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security. Founded in 2006 by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., the Council has over 600 Participating Organizations representing merchants, banks, processors and vendors worldwide. To learn more about playing a part in securing payment card data globally, please visit: pcisecuritystandards.org.
Connect with the PCI Council on LinkedIn: http://www.linkedin.com/company/pci-security- standards-council Join the conversation on Twitter: http://twitter.com/#!/PCISSC

Global Payments Not Certified PCI-DSS Compliant – Breach Costs Reach $94M

Highlights from the  Global Payments quarterly report  released January 8 2013, reveals that costs related to the 2012 data breach have reached 93.9 million and additional material costs will be incurred in 2013.  The company is still working on PCI DSS certification. pdf The company has not yet been put back on the list of PCI DSS compliant service providers, however, the impact on revenue has been “immaterial”. 

“As a result of this event, certain card networks removed us from their list of PCI DSS compliant service providers. Our removal from certain networks’ lists of PCI DSS compliant service providers could mean that certain existing customers and other third parties may cease using, referring or selling our products and services. Also, prospective customers and other third parties may choose to delay or choose not to consider us for their processing needs. In addition, the card networks could refuse to allow us to process through their networks. To date, the impact on revenue that we can confirm related to our removal from the lists has been immaterial. Also the impact on revenue of customers or other third parties who have failed to renew, terminated negotiations, or informed us they are not considering us at all, where we can confirm it is related to our removal from the lists, has been immaterial.    We continue to process transactions worldwide through all of the card networks. We hired a Qualified Security Assessor, or QSA, to conduct an independent review of the PCI DSS compliance of our systems. Our work to remediate our systems and processes is substantially complete. Our QSA is currently evaluating our remediation work. Once the QSA’s evaluation is complete we will work closely with the networks to return to the list of PCI DSS compliant service providers as quickly as possible. Our failure or a delay in returning to the list could have a material adverse effect on our business, financial condition, results of operations and cash flows.”

In addition to the credit card data breach, the “investigation also revealed potential unauthorized access to servers containing personal information collected from merchants who applied for processing services.” Merchant account applications contain sensitive information for identity theft thieves, including business owner social security numbers and home addresses.

Another potential financial blow is the class action suit related to the ‘intrusion’, as Global Payments has identified the breach. “We have not recorded a loss accrual related to this matter because we have not determined that a loss is probable.”