If your company accepts credit card payments and processes cardholder data, then there are some significant changes to security requirements coming down the pipe that you should be aware of.
In a few weeks, the bar will rise for companies who take credit card payments online. June 30 is the last stage of the Payment Card Industry Security Standards Council’s implementation of PCI DSS 3.0. Until now, many of the requirements in the standard were considered little more than best practice, but as of June 30, they will turn into mandatory ones. There are a few hoops to jump through, if you haven’t already:
Session management
Companies who haven’t already done so will have to verify that they have addressed broken authentication and session management, to stop attackers from stealing legitimate account login details or session tokens.
POS protection
Merchants must physically protect card readers to prevent skimming and other reader tampering devices. This applies specifically to merchants involved in ‘card-present’ transactions. That means that point-of-sale devices that have already been configured to deal with this must be taken care of by June 30. Companies must also maintain an inventory of all card swiping devices, and train staff on the importance of physical card security.
Penetration testing
Companies must adopt an industry-accepted approach for the penetration testing (ethical hacking) procedures used to secure their networks. Testing must include internal and external tests for all components of the system that hold credit card data, and must also cover both the network and application layers. This requirement also mandates that companies retain documentation of both the testing and the remediation results according to a formal schedule.
Service providers
The above requirements just about covers it for merchants, but service providers have two extra hoops to jump through. They must use unique credentials to access customer systems remotely, rather than a single password for all accounts. Third party companies who are responsible for the security of cardholder data must also acknowledge that in writing to customers.
The Payment Card Industry (PCI) Council also recently updated its security standard with new encryption technology baseline that could have an impact on your security infrastructure.
In mid-April, the Council introduced version 3.1 of its PCI Data Security Standard (DSS) document for merchants that accept credit card payments. It is a relatively minor release in most respects, but it does make a significant change, concerning Secure Sockets Layer (SSL), and Transport Layer Security (TLS).
Both of these encryption standards are designed to protect data in transit between devices and online applications. They have been proven vulnerable, with the most recent vulnerability discovered by Google. Its researchers found a flaw called POODLE last October. This revolved around the standard’s use of RC4, which is an encryption algorithm that had long since been proven to be vulnerable.
Last year, the US National Institute of Standards and Technology (NIST) updated its own guidelines on TLS encryption. Vulnerabilities in TLS 1.0 make it inappropriate to use, meaning that organizations should move to version 1.1 or 1.2 of the encryption standard, said the NIST document. The PCI Council has adopted this recommendation in PCI DSS 3.1.