PCI-DSS 3.0: Translating new credit card data security rules

Merchants that process, store, or transmit credit card data are now required to be compliant with version 3.0 of the PCI Data Security Standard (PCI-DSS).

There are a small number of requirements that are considered best practice until July 1, 2015. After which, they become mandatory.

Now you could search through the rather substantial standard to find the requirements in question, but I’ve saved you the trouble.

The PCI-DSS says:

“8.5.1 Additional requirement for service providers: Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer.

To prevent the compromise of multiple customers through the use of a single set of credentials, vendors with remote access accounts to customer environments should use a different authentication credential for each customer.”

In short: Merchants need to hold their service providers accountable!

The PCI-DSS says:

“9.9 Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.

Criminals attempt to steal cardholder data by stealing and/or manipulating card-reading devices and terminals. For example, they will try to steal devices so they can learn how to break into them, and they often try to replace legitimate devices with fraudulent devices that send them payment card information every time a card is entered. Criminals will also try to add ‘skimming’ components to the outside of devices, which are designed to capture payment card details before they even enter the device.”

In short: Make sure your physical POS hardware is secure!

The PCI-DSS says:

“11.3 Implement a methodology for penetration testing that includes the following:

  • Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
  • Includes coverage for the entire CDE perimeter and critical systems
  • Includes testing from both inside and outside the network
  • Includes testing to validate any segmentation and scope-reduction controls
  • Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
  • Defines network-layer penetration tests to include components that support network functions as well as operating systems
  • Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
  • Specifies retention of penetration testing results and remediation activities results

The intent of a penetration test is to simulate a real-world attack situation with a goal of identifying how far an attacker would be able to penetrate into an environment. This allows an entity to gain a better understanding of their potential exposure and develop a strategy to defend against attacks.”

In short: Test and verify the effectiveness of your network segmentation!

The PCI-DSS says:

“12.9 Additional requirement for service providers: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.

This requirement applies when the entity being assessed is a service provider. It is intended to promote a consistent level of understanding between service providers and their customers about their applicable PCI DSS responsibilities. The acknowledgement of the service providers evidences their commitment to maintaining proper security of cardholder data that it obtains from its clients. The method by which the service provider provides written acknowledgment should be agreed between the provider and their customers.”

In short: Update your contracts to include this acknowledgement!

If you need to implement any or all of these requirements, do it now. Do you really want to wait until June 30, 2015?

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit Tech Page One. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.