Happy New Year!
As we kick off 2018, there are a few significant PCI requirement changes to be aware of in the new year, particularly on these two dates: Feb 1 and June 30.
As of February 1, 2018, the following (former best practices) will become requirements for all organizations complying with thePCI DSS.
Sections: 6.4.6 & 8.3.1
Impact: Merchants and Service Providers
6.4.6 Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable.
Takeaway: Your QSA must be able to validate organizational requirements:
- Define and document what it considers to be a significant change
- Identify said significant changes in your company change management system
- Provide proof that vulnerability scans, penetration tests, and risk assessments were performed given significant change
8.3.1 Incorporate multi-factor authentication for all non-console access into the Cardholder Data Environment (CDE) for personnel with administrative access.
Takeaway: Admin remote access now requires MFA to 1) connect to internet network AND 2) another MFA login to access CDE.
Remember that MFA must:
A) Use Two of Three methods
- Something you Know (password / passphrase)
- Something you Have (token / smart card)
- Something you Are (biometric identifier)
B) Must be Distinct. I.E. password + token and not using one factor twice (two separate passwords).
Sections: 3.5.1, 10.8, 10.8.1, 188.8.131.52, 12.4.1, 12.11, 12.11.1
Impact: Service Providers
3.5.1 Maintain a documented description of the cryptographic architecture that includes:
- Details of all algorithms, protocols, and keys used for the protection of cardholder data, including key strength and expiry date
- Description of the key usage for each key
- Inventory of any hardware security modules (HSM) and other secure cryptographic devices (SCD) used for key management
Takeaway: A number of Service Providers cryptographic solutions have been found to be insufficient to properly protect cardholder data, offering invalid end-to-end encryption per CouncilP2PE standard.
As such, QSAs must now document how service providers have implemented encryption:
- Architecture of encryption solutions
- Encryption protocols used
- Key bit strengths for all keys
- Inventory of all encryption key management and generation systems/devices
10.8 Implement a process for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of: firewalls, intrusion detection/prevention systems, file integrity monitoring, anti-virus, physical access controls, logical access controls, audit logging mechanisms, and segmentation controls (if used).
Takeaway: If / when their critical security control systems fail, service providers must be able to provide documentation to QSAs that alerts were generated, in the form of log data, screenshots, etc.
10.8.1 Respond to failures of any critical security controls in a timely manner. Processes for responding to failures in security controls must include: restoring security functions; identifying and documenting the duration (date and time start to end) of the security failure; identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause; identifying and addressing any security issues that arose during the failure; performing a risk assessment to determine whether further actions are required as a result of the security failure; implementing controls to prevent cause of failure from reoccurring; resuming monitoring of security controls.
Takeaway: Service providers also need to prove that their security personnel responded to critical systems failures, via documentation such as help desk support tickets.
184.108.40.206 If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.
Takeaway: Service providers are now required to PEN test their network segmentation controls every six months OR if any changes are made to the network that impact those controls.
12.4.1 Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program to include: overall accountability for maintaining PCI DSS compliance; defining a charter for a PCI DSS compliance program and communication to executive management.
Takeaway: The Council clearly wants the C-suite to become more aware and involved in the protection of cardholder data, and now requires QSAs to obtain from service provider executives documentation on:
- Responsibilities for PCI compliance
- Accountability for PCI compliance
- Communications to executive management regarding PCI compliance.
12.11 Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. Reviews must cover the following processes: daily log reviews; firewall rule-set reviews; applying configuration standards to new systems; responding to security alerts; change management processes.
12.11.1 Maintain documentation of quarterly review process to include: documenting results of the reviews; review and sign-off of results by personnel assigned responsibility for the PCI DSS compliance program.
Takeaway: Given increasing awareness of the human element of cyber breaches, its not surprising the Council is ramping up its efforts and focus on personnel training. Quarterly reviews (and associated documentation) are now required for service provider personnel to confirm theyre trained up on PCI security policies, and all standards and procedures.
Lastly, June 30, 2018 is the last day to use SSLv3 (an encryption standard that’s used to secure Web traffic) and TLS v1.0. Given the POODLE exploit, SSLv3 encryption really should have been disabled long ago. That said, if your site still supports these protocols past June 30, it will fall out of PCI compliance.
About RSI Security
RSI is the nation’s premier information security and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI can assist all sizes of organizations in managing IT governance, Risk management and compliance efforts (GRC).