New Version of Payment Card Information Standards Targets Recent Breach Issues
What’s the News?
Following recent updates, merchants and retailers will soon become subject to the updated Payment Card Information Data Security Standard (PCI DSS), the security standard that organizations need to follow if they handle credit and debit cards from major card companies, such as Visa, MasterCard and American Express. This round of changes will be known as version 3.2 of PCI DSS, and include significant guidance and updates on hot topics such as encryption and strong credentials. Compliance with the changes is important because companies that are subject to PCI DSS but fail to comply face exclusion from processing credit card payments and/or hefty fines. Sometimes, noncompliance could mean leaving open the doors to your cardholder data environment, thereby allowing hackers and malicious entities to enter.
To allow time to implement the changes, the new standard will be considered best practice during a “sunrise period” ending in January 2018, after which it will become the official requirement for covered entities. Given this, retailers and merchants subject to PCI DSS should review their practices and procedures to prepare for any necessary changes.
Who is Affected?
All companies (including retailers, merchants, and service providers) subject to PCI DSS should be aware of the updated version of the standard. Companies that collect, process, or store cardholder information must comply with PCI DSS.
What Do You Need to Know?
The PCI Security Standards Council has taken into account recent payment card information breaches and the methods of attack in updating the standard. Some of the most significant changes are summarized as follows:
- Stronger encryption means old and weak protocols are out; new and stronger ones are in. The new standard includes an appendix for companies to use in reporting their effort to migrate from old and weak protocols to more secure encryption protocols. As some of you may already be aware, the PCI Security Standards Council had previously issued guidance specifically removing Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) protocols as examples of strong encryption protocols. Organizations were required to migrate to a secure version of TLS (currently v1.1 or higher). This guidance resulted from a series of high-profile breaches caused by weaknesses in the old encryption protocols, specifically SSL and early TLS, and is in line with industry guidance. Migration to TLS version 1.1 or later must be completed by June 2018, but waiting is not recommended in light of the widespread and known vulnerabilities relating to the old protocols.
- Stronger credentials require multi-factor authentication. The updated standard clarifies that there should be at least two “factors” used to authenticate users with administrative access to the cardholder data environment or remote access to the cardholder environment. These factors may include at least two of the following: something you know (e.g., a password), something you have (e.g., a token), or something you are (e.g., any biometric, such as a fingerprint).
- Service providers have enhanced obligations. The new standard expands requirements for service providers who play an important role in securing cardholder data for organizations. The changes require service providers to implement specific security controls. Another change involves the Designated Entities Supplemental Validation (or DESV), an existing set of criteria that help service providers address key challenges in protecting payments. The DESV is moved into PCI DSS standard itself as an appendix, to consolidate requirements and also to reinforce its importance. Companies are only required to undergo DESV assessments if instructed to do so by an acquirer or payment brand, but it is recommended that companies look at the DESV to see whether some of the controls should be included in their security practices.
- Increased emphasis on validating ongoing security. The new standard emphasizes the importance of validating that security controls are in place and working at all times, particularly after an organization implements an “impactful” or significant change—for example, changing payment applications or devices such as firewalls—that may affect the cardholder data environment. This new requirement highlights the importance of having a process to analyze how changes may impact the payment card environment and the security controls that companies rely on to protect cardholder data.
What are the Next Steps?
Failure to comply with PCI DSS can have serious consequences, including hefty bank fines, suspension of a company’s right to accept credit cards, and could even result to a breach of cardholder data. Given this, it is important to get started with any necessary updates. Beginning now, helpful next steps include the following:
- Review PCI DSS 3.2 changes and identify any gaps;
- Establish a timeline for rolling out compliance initiatives in response to the changes and identified gaps;
- Invest resources in addressing key changes involving strong encryption and credentials, which have known and widespread vulnerabilities;
- Review third party relationships and confirm that covered service providers are doing their part to comply with the new standard;
- Use the next PCI DSS assessment which will be based on the new standard to remediate or at least mitigate any gaps;
- Make sure that gaps are addressed by January 2018.
Arent Fox’s Cybersecurity & Data Protection group monitors developments in the privacy and cybersecurity field. For more information, please do not hesitate to contact Sarah L. Bruno, Anthony V. Lupo, Matthew R. Mills, Eva J. Pulliam, and Lourdes M. Turrecha.