By Jeff Man, Security Strategist and Evangelist, Tenable Network Security, exclusively for CardNotPresent.com
When the PCI Security Standards Council (PCI SSC) published version 3.0 of the Payment Card Industry Data Security Standard (PCI DSS) in November 2013, there were several changes the organization felt were significant enough to warrant a grace period. That reprieve came to an end June 30, 2015, when those changes morphed from “best practice” to “requirement.” There are five new requirements found in PCI DSS v3.0/3.1 that went into effect on this date. The first article in this series focused on the new penetration testing methodology requirement (11.3). This week will focus on two requirements that, together, apply to all merchants subject to PCI compliance.
There are two new requirements in PCI DSS Version 3.0/3.1 aimed at specific audiences. The first—6.5.10, “Broken authentication and session management”—is for merchants engaged in card-not-present payment acceptance, primarily through the use of e-commerce servers. In contrast, 9.9, “Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution,” is focused on the physical security of payment acceptance devices used for card-present merchants. Of course, many merchants offer multiple payment acceptance methods, so adherence to both of these new requirements would be required, in those cases.
Broken Authentication & Session Management
PCI DSS Requirement 6.5 says entities must produce secure software by