Getting Ready for PCI DSS 3.0
In 2015, version 3.0 of the payment card industry data security standard (PCI DSS) is no longer optional. So, what’s ahead for merchants already familiar with the version 2.0 requirements? What’s the best way to prepare for PCI DSS 3.0 compliance?
First, it is important to understand the key changes and additions in PCI DSS 3.0. Many of the changes involve renumbering, reorganizing and consolidating the requirements, which makes for a more organized and less ambiguous set of controls.
Another welcome change is the reorganization of the standard to include a "Guidance" column to the right of the Requirements and Testing Procedures, in place of the former "In place/Not in place" column. The information in this column of the standard really helps to clarify the intent and benefit of each requirement.
The most significant new requirements merchants need to consider are those related to segmentation, penetration testing and documentation.
One of the major changes that many convenience store retailers may struggle with has to do with clarified and enhanced scoping and segmentation requirements. Many merchants are already aware of the benefits of segmentation, or putting different components in different network segments.
Effective segmentation makes meeting compliance requirements easier because it reduces the number of elements that need the full PCI treatment. By putting non-cardholder data bearing elements in separate network segments, the workload of PCI compliance is reduced. There is no need, for example, to have an HVAC system interconnected with a point-of-sale system. Putting the HVAC system on a separate network segment is not only more secure, but it also reduces the workload tied to demonstrating compliance.
Without adequate network segmentation (sometimes called a "flat network"), the entire network is in scope of the PCI DSS assessment. Network segmentation can be achieved through a number of means, such as properly configured internal network firewalls, routers with strong access control lists, segmenting network switches, or other technologies that restrict access to a particular segment of a network.
To be considered out of scope for PCI DSS, a system component must be properly isolated (segmented) from the cardholder data, such that even if the out-of-scope system component was compromised, it could not impact the security of the cardholder data in the network.
Many merchants have been reluctant to segment their in-store networks because of a belief that segmentation is difficult, complex or expensive. But there are now segmenting Ethernet switches available from a number of mainstream network gear suppliers, like Netgear, Cisco and Hewlett-Packard, that can do the job of segmenting a network at a reasonable cost-per-port.
Another option is to use multiple non-segmenting switches to break up the network, if the perimeter security device has multiple separate network ports, as many of the more modern perimeter security devices do. Just attach each switch to a separate port, then attach each device to the switch that corresponds to the separate segments. Label everything carefully to meet the new penetration testing and documentation requirements below.
Version 3.0 of the standard requires penetration testing (a.k.a. “penn-testing”) to validate that the segmentation is properly implemented (requirement 11.3). There may be some misunderstanding about what penetration testing is and what it accomplishes. Again, the new "Guidance" section really helps clarify the requirement.
Penetration testing is generally a highly manual process. While some automated tools may be used, the tester uses their knowledge of systems to penetrate into an environment. Often, the tester will chain several types of exploits together with a goal of breaking through layers of defenses.
For example, if the tester finds a means to gain access to one device, they will then use the compromised device as a point to stage a new attack based on the resources the device has access to. In this way, a tester is able to simulate the methods performed by an attacker to identify areas of potential weakness in the environment.
Because penetration testing is a manual process, it can be expensive, especially if there are many different or non-standard store configurations to be penetration-tested. So, the new penn-testing requirement is a big motivation for merchants to do something that is a good idea anyway.
This requirement, as well as the recent highly publicized breaches of networks that did not employ good segmentation and isolation techniques, is motivating progressive merchants not only to segment their networks, but also to eliminate as many persistent connections to vendors as possible.
Where persistent connections to vendors must remain, merchants should be aware of the new requirement (8.1.5), which requires that when vendors access store systems, there must be a method to enable access for the vendor only during the time period needed, and then disable it again when not in use.
Many merchants and vendors are not set up this way, instead relying on persistent connections and known vendor passwords. There is also a new requirement (8.5.1) that requires vendors who access a merchant’s cardholder data environment use different passwords for every merchant.
Reporting requirements for qualified service assessors (QSAs) are now more complex and stringent under PCI DSS 3.0, which means it is important for merchants to have clear, organized and up-to-date documentation of in-place controls.
Organizing this documentation will save larger merchants time and money in the assessment process, and it will simplify the Self-Assessment Questionnaire process for smaller merchants as well. Most importantly, by carefully documenting and verifying their controls are in place, merchants can better protect themselves against security breaches.
Editor's note: The opinions expressed in this column are the author's and do not necessarily reflect the views of Convenience Store News.