Physical storage devices are among the most widespread forms of technology, used by nearly every company, regardless of a business’ size and scope. They encompass not only harddrives, but any physical device on which data is stored, including laptops, thumbdrives, smartphones, or even credit cards. It’s important to protect them, and the Payment Card Industry Data Security Standard (PCI DSS) sets the standard for how to do that. Thus, PCI DSS 4.0 changes may impact them in profound ways.
The information available in the current DSS — as well as PCI’s own framing of the expected changes — provides useful insights into what updates mean for physical storage device security.
However, since PCI DSS 4.0 is still in standard draft form, it’s impossible to say definitively whether and how it will impact any element of your cybersecurity when it’s released. But chances are, it will.
Here’s how we see that happening.
Will PCI 4.0 Impact Physical Storage Device Security?
Each update to the PCI DSS has always had ripple effects on physical storage device security practices, so it’s safe to say that the newest version will too. How large an impact the new changes will have, depends largely on the extent to which you’re already following the most current PCI DSS guidelines.
We’ll break down everything you need to know about 4.0’s potential impacts on physical storage devices into two main sections:
- How PCI DSS currently impacts physical storage devices
- PCI DSS 4.0 Changes impacting physical storage devices
But, to fully understand the impacts 4.0 will have, you need to first have a firm grasp of what current PCI DSS requirements are.
Assess your PCI compliance
What is PCI DSS 4.0, and Who Will It Impact?
The PCI DSS, officially the Payment Card Industry (PCI) Data Security Standard (DSS), is a set of regulatory guidelines that companies who process credit card payments need to follow. It’s a product of the PCI Security Standards Council (SSC), a group founded in 2006 by major creditors and other players in the finance industry.
The SSC exists in order to:
- Help merchants and financial institutions prevent breaches and theft of cardholder data
- Facilitate secure payment solutions for vendors with uniform security standards
The PCI DSS is the main way the SSC accomplishes these goals. According to the SSC’s projected 4.0 timeline, the newest edition should be finished by mid-2021, with supporting documents to be released by the end of that year. Transition is likely to take place over a few years, as 3.2.1 is not expected to be retired until mid-2023.
When it is in effect, PCI DSS 4.0 will apply to any and all businesses with any relationship at all to credit card payment processing. That includes vendors and merchants who accept credit card payments, as well as any service providers that process their data.
If your company accepts payments via credit card, PCI DSS impacts you.
How PCI DSS Currently Impacts Physical Storage Devices
At the core of the PCI DSS, ever since the original version 1.0, sit 12 core requirements.
Of the 12 core requirements, only one specifically involves physical access. However, there are elements of all 12 that can involve physical storage media — whether directly or indirectly. Importantly, all of PCI DSS can potentially impact physical storage devices.
As of the most recent and current PCI DSS, version 3.2.1, the core elements include:
- Building and maintaining secure network systems
- Requirement 1: Install and maintain strong firewall configurations
- Requirement 2: Refrain from using vendor-supplied default configurations
- Protecting cardholders’ data from attack or loss
- Requirement 3: Protect cardholder data located in storage (physical or cloud)
- Requirement 4: Encrypt cardholder data being transmitted across open networks
- Maintaining vulnerability management
- Requirement 5: Install and regularly update antivirus/malware software
- Requirement 6: Develop security protocols across systems and applications
- Implementing access control measures
- Requirement 7: Limit access to cardholders’ data based on business need
- Requirement 8: Allow access to system components only through authentication
- Requirement 9: Limit all physical access to stored, protected cardholder data
- Monitoring and testing networks consistently
- Requirement 10: Monitor access to resources and data within the network
- Requirement 11: Test and analyze security systems at regular intervals
- Maintaining information security policies
- Requirement 12: Develop and disseminate security policy to personnel
Naturally, certain controls concern physical devices more or less directly. Requirement 9 is far from the only requirement you’ll need to worry about. But still, let’s take a closer look at it, and a couple others, to get a sense of the most direct impacts PCI 4.0 will have on physical devices.
Download Our PCI DSS Checklist
Requirements’ Specific Impacts on Physical Storage Devices
The requirements detailed above all can impact physical storage devices. But, since requirement 9 specifically restricts physical access, it warrants a deeper look. Per version 3.2.1, it breaks down into ten sub-requirements:
- 9.1 – Use entry controls to both limit and monitor physical access to cardholder data
- 9.2 – Develop methods to distinguish authorized personnel from other visitors
- 9.3 – Limit personnel’s access with contingent authentication and swift termination
- 9.4 – Implement methods to authorize visitor access to areas containing stored data
- 9.5 – Ensure physical security of media via safely stored (and monitored) backups
- 9.6 – Strictly control internal and external distribution of media of any and all kinds
- 9.7 – Strictly control storage and availability of media via inventory and access logs
- 9.8 – Destroy any and all media that is no longer needed for valid business purposes
- 9.9 – Protect all card-reading devices, such as swipe or tap point of sale systems
- 9.10 – Ensure that security policies impacting physical access are circulated
These specifications all apply directly to all forms of physical storage your company uses to harbor cardholder data. They also apply across any other physical (or digital) resources that offer direct or indirect access to data stored in these physical devices.
But, as stated, requirement 9 isn’t the only one that impacts physical storage devices. For example, consider the elements from other requirements listed above:
- Requirements 1 and 5 don’t invoke physical storage directly, but require firewalls and antivirus software to be built “around” and “into” them, respectively.
- Requirement 2 likewise applies to all resources and thus compels you to remove any and all default settings or configurations installed onto physical storage devices.
- Requirement 3 directly involves physical storage devices at the specific locations where cardholder data is stored. Its specifications for encryption and other security safeguards are implemented on and within physical storage devices.
- Requirements 7, 8, and 10 are all related to physical storage devices, in that access to them must be carefully authenticated and tracked.
Across these requirements, your cybersecurity framework and measures must apply to networks and systems, as well as the pieces of hardware connected to them. Physical storage devices are no different; in fact, they’re among the most important endpoints to protect.
PCI DSS 4.0 Changes Impacting Physical Storage Devices
PCI DSS version 4.0 is currently in standard draft form. In practice, that means that the SSC is surveying the field with requests for comments (RFCs) to understand what changes stakeholders most want to see in the upcoming version.
Four main areas that the PCI SSC is focusing on for 4.0, include:
- Authentication, especially multi factor authentication (MFA)
- Applicability of encryption for cardholder data on trusted networks
- Bringing requirements up to speed regarding technological advancements
- Frequency of assessment or other testing for the most critical PCI DSS controls
Importantly, these focus areas will not be the only areas that require changes in version 4.0.
While the final 4.0 RFC period is coming to a close, SSC may also consider changes above and beyond what the survey respondents indicated support for. PCI’s anticipatory guidance for PCI DSS 4.0 also identifies four main goals the SSC has attempted to implement:
- Ensuring the DSS still meets the needs of its stakeholders
- Adding and emphasizing flexibility across controls
- Promoting security as an ongoing, continuous process
- Enhancing methods and procedures for validation
As evidenced by these goals, PCI SSC’s intention is not to introduce radical, essential changes to the DSS. Instead, they aim to modernize the requirements and facilitate their adoption by opening up numerous possibilities for both software and practices to satisfy them.
Specific 4.0 Controls Related to Physical Storage Devices
All indications point toward 4.0’s changes being relatively minimal. Still, there will be changes, and any changes will impact physical storage devices, whether directly or indirectly.
According to a recent report on 4.0 RFC feedback, a handful of requirements have garnered the most comments from a majority of respondents. Of these, the ones that will have the most direct impact on physical device storage include the following:
- Regarding requirement 4, about using cryptography to protect data in transit:
- Self-signed and/or internal certificates add physical elements to data security
- Regarding requirement 8, about identification and authentication of users:
- Multi factor authentication (MFA) will further restrict access to physical storage
- Regarding requirement 9, about restricting physical access to cardholder data:
- A focus on the physical location of “sensitive areas” will be key in 4.0
Given the goals outlined above, these modifications to specifications or sub-requirements may not result in noticeable changes to technology or practices employed by your company. Instead, they may open up additional options that were previously unavailable. However, despite the relatively minor impact PCI DSS 4.0 changes are likely to have, many companies anticipate that there will be some difficulty adjusting.
Given the importance of compliance, as well as all the variables involved, professional guidance is the best way to stay secure.
How to Ensure Compliance with PCI DSS, 4.0 and Beyond
Whether your company is already compliant with PCI DSS 3.2.1, or 4.0 will be your first time, the team at RSI Security can guide you through the process. We are a full-service PCI DSS advisor and assessor, and have been facilitating compliance for companies since 2008.
We can help your company with everything it needs to prepare for (and eventually attain) PCI compliance. Our suite of PCI DSS 4.0 preparation services includes:
- Comprehensive onsite security assessments
- Self assessment assistance and attestation of compliance
- Patch management, pertaining to requirement 6.2
- Penetration Testing and vulnerability scanning
- Robust employee training and education programs
All you need to get started is a consultation. For a quick summary of all the most relevant information, check out our PCI DSS data sheet. Then, for more detailed guidance through the short- and long-term cybersecurity practices you need to implement, get in touch!
Professional Compliance and Cyberdefense Solutions
RSI Security is an industry leader providing cybersecurity solutions to businesses of all types and sizes for over a decade. Our compliance advisory services don’t stop with PCI DSS; we also help with HIPAA, HITRUST, and any other regulatory guidelines you need to follow.
Plus, we’re well aware that compliance isn’t the end of cybersecurity; it’s just that beginning.
We provide a wide array of managed IT services—everything from overall architecture implementation to granular cybersecurity technical writing. Whatever your business needs to keep all personnel, clientele, and all other stakeholders safe, we can help you achieve.
So, contact RSI Security today to tackle any and all PCI DSS 4.0 changes with confidence. You’ll be amazed at just how powerful your cyberdefenses can be!
Schedule a free consultation