August 19, 2016
Guest Perspective: ‘Security is a Journey’ – What Businesses Need to Know about Complying with the Upcoming PCI DSS Requirements
By Don Brooks, Senior Security Engineer, Trustwave
The next month will be a busy time for any business that stores, processes or transmits payment card data since some of the changes in the latest versions of the payment card industry data security standard, PCI DSS 3.0 and 3.1, will be mandatory beginning June 30. Businesses and their third-party service providers must adhere to the requirements, or they risk falling victim to a breach in addition to facing costly fines.
Here are the requirements businesses must follow:
- New penetration testing methodology based on industry-accepted penetration testing approaches: Businesses must conduct penetration testing that covers the entire card-data-environment perimeter and critical systems as well as validate any segmentation and scope-reduction controls. The standard also specifies what application-layer and network-layer tests should include. Businesses must also report any threat vulnerabilities they have experienced in the last 12 months and explain how they will remediate weaknesses uncovered from penetration tests. The requirement encourages businesses to check their segmentation more carefully and reduce scope. A smaller cardholder is easier to protect. The requirement is far more explicit regarding the type of testing that needs to occur, especially when it comes to application testing. In the past, businesses were testing their unauthenticated areas but few tested their authenticated areas. Under the new guidance, businesses must test both.
- Verification that broken authentication and session management are addressed: Businesses must examine software development policies and procedures and interview responsible employees to verify that broken authentication and session management are addressed via coding techniques. This includes flagging session tokens (e.g., cookies) as secure, not exposing session IDs in the URL and incorporating appropriate time-outs and rotation of session IDs after a successful login. The requirement helps prevent unauthorized individuals from compromising legitimate account credentials, keys or session tokens that would otherwise enable the intruder to assume the identity of an authorized user.
- Added protection for in-store point-of-sale (POS) devices: Businesses must maintain a list of POS devices and periodically inspect them for tampering or substitution. They must also train employees to spot any red flags suggesting suspicious behavior and to report tampering or substitution of the devices. Criminals attempt to steal cardholder data by stealing and/or manipulating card-reading devices and terminals. They also try to add “skimming” components to the outside of devices, which are designed to capture payment card details before they even enter the device. This requirement helps businesses flag if a POS device is breached and know what actions to take so that any damage is minimized.
Beginning June 30, third-party service providers will need to:
- Acknowledge in writing to customers that they are responsible for the security of cardholder data: This kind of acknowledgement by service providers shows their commitment to maintaining proper security of cardholder data they obtain from businesses. It also promotes a consistent level of understanding between service providers and their customers about their applicable PCI DSS responsibilities.
- Use a unique authentication credential for each customer: To prevent the compromise of multiple businesses through the use of a single set of credentials, providers with remote access accounts to businesses’ environments must use a different authentication credential for each. Providers must also go through additional testing to examine authentication policies and procedures and interview personnel to verify that different authentication are used for access to each customer.
If businesses do not become compliant with the requirements, they could face multiple fines (although the amount varies due to certain factors such as if the business had been breached before, if they had been deemed not in compliance before, etc.).
The initial fine is typically $100,000 -$500,000. If forced to become Level 1 compliant—normally reserved for merchants that process more than six million payment-card transactions annually—they could face $50,000-$100,000 in additional expenses. Other non-compliance expenses include re-issuance fees for compromised cards (usually around $50.00 per card) and credit-monitoring costs (approximately $2.00 per customer).
If a company experiences a breach that involves 10,000 or more records, it could face a $250,000 fine from the card brands as well as a $5,000-$10,000 per-month fine per location until it verifies it is in compliance. A company also could face a re-issuance/credit monitoring fee of $520,000 and customer churn after such a breach is typically 8-19 percent.
While the new changes should help businesses better protect their valuable information, it’s critical to keep in mind that the PCI DSS is a baseline for security. We often see businesses check the PCI compliance box and go no further. In today’s business environment where the threat landscape is more complex than ever before, businesses need to flip the compliance model on its head—making sure their data is secure first, so that they inherently become compliant. They can achieve that goal by identifying where their valuable data lives and moves, implementing security controls to protect that data and continuously scanning and testing their assets to identify and remediate security vulnerabilities. Security is a journey, not a destination.
Don Brooks is a Certified Information Systems Security Professional (CISSP) and Senior Security Engineer at Trustwave. Trustwave provides managed security services and integrated technologies that protect data and reduce security risk. The company was acquired by Singtel , Asia’s largest telecommunications company, in April.