An organization could go to great lengths to protect its internal network only to have all that effort undone by its third party service provider failing to take proper security measures.
Criminals are targeting third party systems in hopes there is less rigor applied down the support chain to gain access to customer data. Particularly at risk are those third parties responsible for payment processing activities.
That’s why this week’s release of PCI Data Security Standard (PCI DSS) version 3.2 includes a number of updates that require service providers to demonstrate that they are continually protecting cardholder data. The new requirements focus on building trust in the service and assurance that the security processes continue to be met throughout the year.
Analysis of recent cardholder data breaches and PCI DSS compliance trends has revealed that many organizations view PCI DSS compliance as a periodic exercise and do not have processes in place to ensure that PCI DSS security controls are continuously enforced. This can result in lapses in security controls and widen the compliance gap between assessments. New requirements in PCI DSS 3.2 for service providers emphasize the importance of validating that security controls are in place and working effectively, such as:
Reporting on failures of critical security control systems (Req. 10): Formal processes for the prompt detection and alerting of critical security control failures must be in place to ensure failures do not go undetected for extended periods and provide attackers ample time to compromise systems and steal data.
Conducting regular penetration testing on segmentation controls at least every six months (Req. 11): For service providers, validation of PCI DSS scope should be performed as frequently as possible to ensure PCI DSS scope remains up to date and aligned with changing business objectives. Penetration testing requires organizations to treat compliance as an ongoing, daily activity.
Performing reviews at least quarterly, to confirm personnel are following security policies and operational procedures (Req. 12): The intent of these independent checks is to review evidence that confirms security activities are being performed as expected. These reviews can also be used to verify that appropriate evidence is being maintained—for example, audit logs, vulnerability scan reports, firewall reviews, etc.—to assist the organization’s preparation for its next PCI DSS assessment.
Establishing responsibility for protection of cardholder data and the PCI DSS compliance program at the executive management level (Req. 12): Payment security has to be a C-level priority. Executives need visibility into the PCI DSS compliance program and the opportunity to ask appropriate questions to determine the effectiveness of the program and influence strategic priorities. If you are part of senior leadership in an organization and entrusted to protect the cardholder data of your customers, you want to be sure you are fully aware of your PCI DSS responsibility.
Most of these updates to PCI DSS 3.2 are extensions of existing PCI DSS requirements that service providers should be demonstratively testing more regularly, or requiring more evidence that the control is in place. These new requirements should already be part of service providers’ efforts to successfully manage the effectiveness of security within the cardholder data environment, but, if not, organizations do have a window of time to get them in place before they are effective as requirements and must be used. All new PCI DSS requirements are considered best practices until 31 January 2018.
We strongly encourage any organization, not just service providers, to review these new requirements and evaluate the merits of including them as best practices in their security policies and procedures. With more regular checks to verify security controls are operating as expected, not only do you assure better prevention against a data breach, but also you likely simplify overall cost associated with any form of compliance.
Troy Leach is Chief Technology Officer of PCI SSC.