Merchants, service providers, and anyone else who handles payment card data: Get ready. Major changes are coming to the Payment Card Industry Data Security Standard (PCI DSS) when version 3.1 is retired on October 31, 2016. After this date, all validations must be to PCI DSS version 3.2 or later. Changes for version 3.2 are considered “best practices” by the PCI Security Standards Council until January 31, 2018, after which they become requirements for PCI DSS compliance. Companies that fail to meet the new requirements could face fines, increased fees, and even an end to their ability to process payment cards.
The standard has come under criticism lately for not preventing the payment card megabreaches that have plagued retailers and financial institutions over the last few years. Much of the criticism stems from the concern that companies tend to focus on passing specific PCI DSS audits. After an audit, however, many companies let down their guard and fail to maintain their security and compliance posture over the long term, or even between audits.
Instead of being updated every three years, PCI DSS will be subject to continuous improvements according to the threat landscape, requiring companies to implement PCI DSS compliance controls on an ongoing basis. As a result, companies will be required to ensure that security controls are in place following any change in their cardholder data environment.
To achieve this, Gartner recommends use (of) tools to automate the change management process, and make sure that the configurations for security devices are in compliance with PCI DSS.
Under the new rules, service providers must implement a process to detect and report failures to critical security control systems, including firewalls, intrusion detection and prevention systems, file integrity monitoring, antivirus software, physical access controls, logical access controls, audit logging mechanisms, and segmentation controls.
To meet these requirements, Gartner recommends security leaders centrally monitor the alerts reported by critical security control systems, so that timely action can be taken with the help of tools such as security information and event management (SIEM) and network security policy management (NSPM) solutions.
Additionally, Gartner recommends “that instead of a goal-led approach to PCI DSS compliance, a systems-led approach is adopted, moving implementation of security controls away from a project-based approach into a day-to-day application, systems and security operations.”
To help companies with the task of meeting the new PCI DSS network security requirements, a recent Tufin white paper identifies seven network security best practices:
- Create a clear separation with proper network segmentation of PCI data and applications within the network
- Ensure that an enterprise-wide network change workflow process is in place that meets PCI requirements
- Ensure that every network change has a complete audit trail
- Validate every network change by analyzing the change for risks, getting approval by the business owner, and ensuring changes are implemented according to PCI-compatible network change workflow
- Ensure that firewalls protecting PCI zones work according to the following guidelines—every rule has a comment, every rule has a log, no rules with “any” in the Src, Dest, and Srv, no rules with risky services, and deletion of unused rules
- Ensure every firewall rule and cloud security group is documented properly with the business justification, business owner, and application name
- Ensure that firewall and cloud security group logs are kept for at least 12 months.
The three largest consumer financial services companies worldwide trust Tufin Orchestration Suite to ensure PCI DSS version 3.2 continuous compliance and audit readiness. The suite reduces time and effort required for PCI DSS audit readiness by up to 70 percent, implements network security changes in minutes, increases control with a unified console for defining network zones and managing segmentation, performs proactive risk analysis to avoid compliance and security policy violations, leverages customizable workflows for integration into enterprise IT service management processes, provides automated provisioning and end-to-end orchestration for multivendor environments, and supports TLS v1.2 as required for encrypted internal processes and secure communications. With a well-thought-out data security program and help from vendors like Tufin, companies should feel confident about meeting the new PCI DSS processes and requirements.
* “What's Changing and How to Respond to PCI DSS v.3.2”, Rajpreet Kaur and Jonathan Care, Sep 28 2016