Recently the Payment Card Industry Security Standards Council (PCI SSC) announced a minor update to the PCI DSS standard largely to make it easier to read with respect to key dates that are now in the past. It also made clear that by now organisations should have migrated from vulnerable Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) implementations to full strength TLS when securing their communications links. There are some additional requirements that have changed as described in the 139 pages of the main specification (PCI DSS 3.2.1) that are worth mentioning and I have outlined them below.
Minor (but important) changes in PCI DSS 3.2.1
New requirements introduced in PCI DSS 3.2 (which was first published in April 2016) should have been implemented by 1st February 2018. This date has now passed and the text has been modified accordingly to make the document easier to read. A few highlights include:
- Mandatory multi-factor authentication (MFA) for non-console administration access into the cardholder data environment (CDE) –this can involve significant security improvements to authentication processes and procedures;
- Detailed documentation to be maintained by service providers regarding their cryptographic architecture –without proper planning this can be challenging since the level of detail necessary includes algorithms, protocols, key strengths, key expiry dates, key usage and HSM inventories; and,
- The need to detect and respond to failures of critical security control systems – raising the bar considerably on mandatory monitoring and responding procedures.
Beginning on 1st January 2019, organisations will be validated against PCI DSS 3.2.1 or later. The current thinking by PCI SSC indicates that the next major update of the PCI DSS standard will not be before 2020. Advice on how to comply with PCI DSS can be found in our recent eBook, “PCI Compliance and Data Protection for Dummies”
Major PCI initiatives in 2018
It is evident from looking at the wide range of specifications and guidance that PCI SSC has published over the past six months that there is a lot happening outside of PCI DSS. This is not totally unexpected since this standard is mature and was designed initially to address rising fraud in a world dominated by physical payment card transactions. As we move into an era where digital payments are growing significantly year-on-year, the focus of PCI SSC naturally will evolve to address new and different types of threats. Some of the key initiatives announced and documents planned or recently published include:
PCI Software Security Framework
The main security standard applicable to payment software application vendors currently is the PCI PA-DSS program which was initially designed and introduced when all payment card acceptance for face-to-face transactions utilized hardware-based certified POS terminals. As this area continues to experience innovation, including the recent arrival of software-based acceptance solutions, the PCI SSC concluded that the time is right to introduce a new standard that covers both traditional and emerging approaches. The new specifications are in the process of being developed and the participating organisations (which include Thales) will have an opportunity to provide feedback later this year. The implementation of the program is expected in 2019.
Cloud Security Guidelines
As a follow up to the original guidelines published in 2013, the new PCI SSC Cloud Computing Guidelines published in April 2018 help organisations identify and address security challenges that impact a broad range of cloud architectures. The PCI Council worked very closely with banks, merchants, security assessors and the payment vendor community in developing the document with the ultimate goal of reducing risk and ensuring better data protection.
X9 and PCI collaboration on PIN Security
The security of PINs has always been a major consideration for the payments industry. In the past decade we have evolved from multiple similar (but subtly different) standards ranging from the individual payment brands to a consolidated PIN security standard under the PCI umbrella. However, many organisations that are audited against PCI PIN Security also have to meet another industry standard, namely the TR39 PIN Standard managed by the ASC X9 group. As a welcome initiative PCI SSC and ASC X9 have agreed to collaborate to introduce a single replacement PIN security standard that will simplify efforts and reduce costs for a large number of payment participants. We are still waiting for the target introduction date to be announced.
PCI 3-D Secure
EMVCo is the main body that develops and manages the 3-D Secure (3DS) specifications that are designed to improve security for card-not-present (CNP) transactions. To complement the work of EMVCo (which also operates the approval process for 3DS devices), PCI SSC recently announced two new security standards related to the 3DS protocol. The primary goal is to ensure that an agile and workable structure is established for both functional testing and security evaluation of EMV 3DS solutions. This is important as the battle against CNP fraud needs all the assistance it can get.
PIN entry on mobile devices
Until recently only certified hardware-based secure PIN entry devices were permitted to capture a cardholder PIN during a POS transaction. In the past year, there has been a significant change in the industry where a cardholder can now enter his or her PIN on a commercial off-the-shelf (COTS) device as an alternative to the traditional PIN pad in a POS terminal. However, as you might expect, the system architecture and security design needs to be very secure and validated. This is where the team at PCI SSC comes in. Recently the PCI Software PIN on COTS (SPoC) Program Guide was published. Using this documentation, vendors can submit SPoC solutions to be validated and listed on the PCI SSC website for merchant use. Over time this could be a game changer and we are already seeing some early activity.
Overall, there are great strides being made in the way of PCI, but as always there are multiple routes you can take involving a wide range of security technologies.