The Payment Card Industry Security Standards Council (PCI SSC) releases regular updates to existing programs and creates new programs on an ongoing basis as security needs change. Staying abreast of the changes to PCI programs is essential to maintaining PCI compliance over time. Understanding what new programs are being created and how those programs might affect your operations is also important, as the creation of new PCI programs can impact security implementations in a variety of ways.
PCI Software Security Standards
The PCI SSC is planning to release some substantial changes to their PCI Software Security Standards. Under this umbrella, the PCI SSC plans to release a Secure Software Standard and a Secure Software Life Cycle (SLC). This may present some confusion for organizations that are already in compliance with the Payment Application Data Security Standard (PA-DSS). Let’s take a look at how these two programs converge and diverge, and what it will mean in the coming years for your organization.
The PA-DSS has heretofore served as the standard by which the PCI SSC has defined the security requirements for applications that process payments. The PA-DSS contains both requirements and validation protocols to ensure that payment processing applications and terminals have adequate security to protect cardholder data. The PA-DSS requirements are intended for payment applications that are utilized in a PCI Data Security Standard (PCI DSS) compliant environment. This means that while your payment applications must be PA-DSS compliant, you must also meet the compliance requirements outlined under PCI DSS.
The new pci programs proposed by the PCI SSC will seek to outline requirements for the creation of secure payment processing applications whether or not they are used in a PCI DSS compliant environment. This represents a substantial shift in that the proposed PCI Software Security Standards will be used to encourage greater overall software security, rather than just focusing solely on PCI DSS compliant environments.
In addition to expanding the scope beyond that of the PA-DSS requirements, the PCI Software Security Standards will be revised to incorporate recognition of the ways that software development has changed over time. Specifically, the new standards will include embedded recognition that software developers are able to develop their products faster than ever. At the same time, there are substantially stronger analytics and security capabilities that are either embedded in the software itself or can be used in conjunction with applications to provide enhanced security over what was possible in the past.
The new standard is intended to give greater flexibility to software developers while giving the payment card industry greater transparency into the security capabilities of the applications they are using. The intention of this is to not only make software more secure but also to enhance the ability of entities to accurately assess the security of the software they are using. At the same time, there is a fundamental recognition that the pace of change for payment card processing is accelerating a rapid rate. The new PCI Software Security Standards will seek to provide a roadmap for organizations looking to utilize up-to-date payment security utilizing emergent technologies.
Organizations should expect the release of a new PCI Software Security Framework to be made available in 2019. This Framework will include the Software Security Standard and Secure SLC, as well as a validation program for software applications used for payment card processing. Additionally, the PCI Software Security Framework will also include a qualification program for software vendors. It should be noted that organizations that have a PA-DSS validation will still have that validation honored under the proposed regulatory regime. PA-DSS validations expire in 2022, at which point organizations would have to transition to requirements set forth in the PCI Software Security Framework.
PCI Card Production and Provisioning
The PCI Card Production and Provisioning program is expected to undergo some changes in the coming year. This pci cybersecurity program is intended to protect cardholder data at the production and provisioning level for new cards. Production refers to the physical manufacturing of the card, while provisioning refers to the act of placing cardholder data onto the card itself. Both of these processes must be protected in order to ensure end-to-end protection for cardholder data. Currently, there are two separate PCI programs for card production. The Logical Security Requirements outline security requirements associated with personalizing cards, or rather putting specific cardholder data onto the magnetic strip or chip embedded in the card. The Physical Security Requirements outline security requirements for the entirety of the chip production process from card manufacturing to shipping, delivery, and fulfillment.
Both the logical and physical security requirements outlined by the PCI SSC must be met by entities producing or provisioning cards. Both programs were updated in 2017 with Version 2.0, which incorporated security recommendations for emergent payment forms. If you are involved in card production or provisioning, chances are you are intimately familiar with the PCI requirements associated with these activities. What will be changing in the coming years is the creation of a Card Production Assessor program. There are currently plans for two different assessor programs; Card Production Logical Assessor and Card Production Physical Assessor. Both of these programs are slated to be introduced in 2019. The intention of the Card Production Assessor programs is to create an environment for more consistent assessments in a similar fashion to other PCI programs such as PCI DSS.
Qualified Integrators & Resellers Qualification
The PCI Qualified Integrators & Resellers (QIR) Qualification program is undergoing some changes that may affect your operations moving forward. The QIR Qualification program was created for integrators or resellers that sell, install, or service payment systems. As a whole, the program is intended to reduce merchant risk associated with improperly or poorly installed payment systems.
The updates to the QIR program are intended to help minimize merchant risk by addressing key risk vectors identified during feedback from the industry. These points of risk include security during remote access, password requirements, and the implementation of a patch management system. Alongside these changes, the program itself will be revamped to reduce the length of the training and to bring the course material and exam portion online. In the past, the QIR program was available only to companies themselves. In order to train more professionals under the program, the PCI SSC has made the training tied to the individual rather than the company and reduced the price to $100.00 for both new training and recertification. The recertification process will now take place annually instead of once every three years.
PCI DSS 3.2.1
The core program under the PCI SSC umbrella is the PCI Data Security Standard. This standard recently underwent some revisions that covered entities must ensure they are compliant with beginning January 1, 2019. While there are only a relatively moderate amount of changes made to the standard, entities that are in-scope for PCI DSS must be mindful of the requirements in order to maintain compliance in the coming year.
The PCI DSS 3.2.1 replaced PCI DSS 3.2 as of June 30, 2018. After this point, organizations that are required to be compliant with PCI DSS requirements have a six month period to transition to the new framework. This makes the effective date for the enforcement of PCI DSS 3.2.1 requirements from 2019 onward. It is important to note that up until January 1, 2019 organizations may validate under either standard depending on which one is more appropriate for that organization. However, once January 1, 2019, has passed all entities will need to validate according to PCI DSS 3.2.1.
Many of the changes made to the pci dss cyber security requirements from version 3.2 to 3.2.1 are meant to serve as a clarification. What is important to note about this version is that it contains updated timelines for meeting certain requirements. Specifically, final compliance dates that had already passed were removed from the document. Most important among these was the requirement to transition away from Secure Socket Layer (SSL) and early Transport Socket Layer (TSL) to a more secure form of encryption by May 30, 2018.
Many organizations will be looking for a roadmap of upcoming PCI DSS changes that they can expect to see in the coming months. Although there were no new requirements in PCI DSS 3.2.1, there will be a more significant revision in the future. This revision is slated to occur sometime after 2020. In the process of formulating PCI DSS 3.2.1, the PCI SSC allowed comments from Participating Organizations and assessors. This feedback will be incorporated into the changes for the next major revision of the PCI DSS. As with past revisions of the PCI DSS, future revisions will seek to further secure cardholder data and reduce the value that payment card data holds for criminals. The lack of new compliance requirements between PCI DSS 3.2 and 3.2.1 is viewed as a strength in the respect that it demonstrates the standard is designed to help organizations mitigate the threats they are facing now, as well as the threats they will be facing in the future.
SSL / early TSL Migration
Although the update to PCI DSS 3.2.1 contained only minor clarifications, entities that are required to maintain compliance with the standard will note that they should have transitioned to more robust forms of encryption for transmitting cardholder data. The date for migrating all systems away from SSL and early TSL protocols passed recently, in May of this year. Due to the widespread use of SSL and early TSL throughout the world, there are undoubtedly many organizations that haven’t completely migrated to a more secure form of encryption.
There are many reasons that the PCI SSC modified the standard to require entities to move towards a more powerful form of encryption. SSL and early TSL are open to a variety of vulnerabilities that are openly available to bad actors. Because of these known vulnerabilities, collecting, transmitting, or storing cardholder data on systems that utilize SSL and early TSL fail to provide the safeguards necessary to protect cardholder data against today’s threats. This is particularly true for online and e-commerce environments, which have relied heavily on SSL and early TSL over the past two decades.
The requirement to migrate to stronger forms of encryption by May 30, 2018, was embedded in the PCI DSS 3.2 requirements released in April 2016. This was in recognition of the large-scale effort it would take for many organizations to migrate fully towards a better encryption protocol. At this point, all organizations should be using a stronger encryption protocol than SSL and early TSL. If this isn’t the case, you’ll want to work with a Qualified Security Assessor (QSA) to migrate to a stronger encryption protocol in order to maintain compliance with PCI DSS 3.2.1 requirements.
The programs under the PCI SSC umbrella are constantly undergoing change. Some of these changes won’t have a significant impact on your operations, such as for the PCI DSS 3.2.1 which only included minor updates to clarify language and remove due dates that had passed. In contrast, some updates to PCI programs can be quite extensive. The creation of a new PCI Software Security Framework is an example of this.
For entities that fall under the scope of these requirements, it is especially crucial to work with a Qualified Security Assessor (QSA) that can help you maintain compliance over time. Maintaining compliance with PCI requirements necessitates creating a security-focused culture. This includes implementing security best practices, such as regularly reviewing and updating your security protocols in light of emerging threats. If you have questions about how changes to PCI programs will impact your compliance efforts, contact RSI Security today for your cybersecurity solutions.
Staying abreast of the changes to PCI requirements is an important step towards maintaining compliance, but it isn’t the only step you can take. You can also consider a variety of other ways to get involved with PCI compliance, including reading our related blog article, PCI Compliance Firewall Requirements. Many of the changes to PCI programs are the result of feedback from Participating Organizations. Participating Organizations have the opportunity to help shape changes to PCI programs during the Request for Comment (RFC) process. This can not only be a great way to stay informed about potential upcoming changes to important PCI programs but also to provide feedback about areas for improvement that you have seen in your own implementation of PCI programs.