PROTIVITI FLASH REPORT The PCI Security Standards Cuncil Releases PCI DSS Versin 3.2 May 9, 2016 On April 28, 2016, the PCI Security Standards Cuncil (PCI SSC) released PCI Data Security Standard (PCI DSS) versin 3.2, which had been available fr preview t stakehlders since April 15. The PCI DSS is a widely accepted set f plicies and prcedures used t ptimize security f credit, debit and cash card transactins and prtect cardhlders frm misuse f their persnal infrmatin. Versin 3.2 s April release represents a change f pace in PCI DSS updates, ccurring utside the PCI SSC s nrmal update cycle. (Hwever, Try Leach, chief technlgy fficer f the PCI SSC, stated that n further revisins t the PCI DSS will ccur in 2016.) As with every prir versin r release f PCI DSS, many clarificatins have been made, alng with clerical changes. But what the industry wants t knw is which changes impact their business. Belw, we have utlined the mre ntable changes fr affected rganizatins. Majr Changes fr All Entities These are changes in which prcesses r additinal technlgies will need t be deplyed in rder fr an rganizatin t remain in cmpliance with PCI DSS. The changes may lead t high levels f effrt t achieve cmpliance and culd cause rganizatins t be ut f cmpliance fr an extended perid. 1. Multi-factr authenticatin The term multi-factr authenticatin replaces tw-factr authenticatin. This in and f itself shuld nt impact cmpliance fr an rganizatin, but a new requirement fr use f multi-factr authenticatin fr certain types f lcal access will d s. This is a tw-part update: The first part is effective immediately when assessing cmpliance with v3.2, and the secnd part becmes effective February 1, 2018. Effective immediately: Multi-factr authenticatin must be used fr all remte access (riginating frm utside the entity's netwrk), including users, administratrs and third parties. Effective February 1, 2018: Multi-factr authenticatin must be used fr all administrative access t the cardhlder data envirnment (CDE), even when cnnecting frm an internal crprate netwrk.
2. File-integrity mnitring (FIM) The PCI SSC remved within the cardhlder data envirnment frm the testing prcedures fr the 11.5.a requirement. This culd significantly impact thse rganizatins that d nt have FIM r ther change-detectin slutins n all in-scpe systems (i.e., systems that cnnect t the cardhlder envirnment). Many rganizatins d nt necessarily have FIM technlgies n, fr example, pint-f-sale r administrative wrkstatins. 3. Change management This is an area in which many entities have difficulty prperly implementing a prcess and successfully dcumenting changes. The new requirement 6.4.6 adds steps t the existing change management cntrls. Organizatins are nw required t verify and dcument all PCI DSS requirements impacted by the change and t validate that they are still being met. Majr Changes fr Service Prviders The fllwing requirements reveal that the PCI SSC is fcusing n service prviders and increasing the scrutiny f cmpliance fr this grup f rganizatins. Service prviders will need t assess these changes and ensure they are in place in rder t stay in cmpliance with PCI DSS. 1. Security cntrls mnitring Service prviders are required t mnitr and reprt n failures f critical security systems. The specific types f failures may vary depending n the functin f the device and technlgy in use. Typical failures include a system ceasing t perfrm its security functin r nt functining in its intended manner; fr example, a firewall erasing all its rules r ging ffline. 1 Incident respnse/prblem management prcesses need t be updated as applicable t include this prcess. Critical systems include, but are nt limited t, the fllwing: Firewalls Intrusin detectin/intrusin preventin FIM Anti-virus Physical access cntrls Lgical access cntrls Audit lgging mechanisms Segmentatin cntrls (if used) 1 Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Prcedures, Versin, 3.2, April 2016, page 94, www.pcisecuritystandards.rg/dcuments/pci_dss_v3-2.pdf. Prtiviti 2
The fllwing prcesses need t be added t the incident respnse/prblem management prgram: Restring security functins Identifying and dcumenting the duratin (date and time, start t end) f the security failure Identifying and dcumenting the cause(s) f failure, including the rt cause, and dcumenting remediatin required t address the rt cause Identifying and addressing any security issues that arse during the failure Perfrming a risk assessment t determine whether further actins are required as a result f the security failure Implementing cntrls t prevent the cause f failure frm reccurring Resuming mnitring f security cntrls 2. Executive management respnsibility Service prviders are nw required t assign the respnsibility f PCI cmpliance t a representative f executive management. The PCI SSC defines executive management as a C-suite executive, a member f the bard f directrs r an equivalent individual. While service prviders have a designated executive fficer wh signs the attestatin f cmpliance (AOC), this step frmally dcuments the respnsibility. 3. Operatinal reviews Service prviders are required t perfrm quarterly reviews f peratinal prcesses. These include but are nt limited t the fllwing: Daily lg reviews Firewall rule-set reviews Applicatin f cnfiguratin standards t new systems Respnse t security alerts Change management prcesses Other Ntable Changes 1. Penetratin testing Service prviders are nw required t test segmentatin cntrls (if segmentatin is used t reduce scpe) at least every six mnths, cmpared t at least annually in v3.1. 2. Dcumented descriptin f cryptgraphic architecture Service prviders are required t create a dcumented descriptin f the cryptgraphic architecture used in the CDE. This dcument must include the fllwing: Details f all algrithms, prtcls and keys used fr the prtectin f cardhlder data, including key strength and expiry date Prtiviti 3
Descriptin f the key usage fr each key Inventry f any hardware security mdules and ther secure cryptgraphic devices used fr key management Migrating frm Secure Scket Layer (SSL) and Early Transprt Layer Security (TLS) Migrating away frm SSL and early TLS has been an area f discussin fr the past few years. Mst rganizatins shuld have this n their rad map already, if nt already cmpleted. The PCI SSC released a bulletin n December 15, 2015, updating the migratin cutff date fr entities still using SSL r early TLS t June 30, 2018 (previusly June 30, 2016). This update is nw reflected in PCI DSS v3.2 alng with mving the cntrls int Appendix A-2. Key Dates and Deadlines The next Payment Applicatin Data Security Standard (PA-DSS) update will be released in apprximately ne mnth. PCI DSS v3.1 will be retired n Octber 31, 2016. Seven changes have an effective date f February 1, 2018. These changes impact the fllwing requirements: 3.5.1 Dcumenting cryptgraphic architecture 6.4.6 Assessment f PCI DSS requirements impacted by each change 8.3.1 Multi-factr authenticatin fr all access t CDE 10.8, 10.8.1 Detecting and reprting failures in critical security cntrl systems 11.3.4.1 Penetratin testing segmentatin cntrls at least every six mnths 12.4 Executive management respnsibility fr prtecting cardhlder data 12.11, 12.11.1 Quarterly reviews f peratinal prcesses In Clsing Migrating frm SSL and early TLS has been pushed t June 30, 2018. Cmpanies shuld review the summary f changes and determine which f them will impact their envirnment fr PCI cmpliance. Key items wuld include any cntrls that have increased in frequency r cntrls that nw have frequency requirements. Prtiviti 4
Abut Prtiviti Prtiviti (www.prtiviti.cm) is a glbal cnsulting firm that helps cmpanies slve prblems in finance, technlgy, peratins, gvernance, risk and internal audit, and has served mre than 60 percent f Frtune 1000 and 35 percent f Frtune Glbal 500 cmpanies. Prtiviti and ur independently wned Member Firms serve clients thrugh a netwrk f mre than 70 lcatins in ver 20 cuntries. We als wrk with smaller, grwing cmpanies, including thse lking t g public, as well as with gvernment agencies. Ranked 57 n the 2016 Frtune 100 Best Cmpanies t Wrk Fr list, Prtiviti is a whlly wned subsidiary f Rbert Half (NYSE: RHI). Funded in 1948, Rbert Half is a member f the S&P 500 index. Cntacts Billy Guveia +1.212.708.6391 william.guveia@prtiviti.cm Chris Luden +1.703.350.4397 chris.luden@prtiviti.cm Ryan Rubin +44.207.389.0436 ryan.rubin@prtiviti.c.uk David Stantn +1.469.374.2488 david.stantn@prtiviti.cm Jeff Weber +1.412.402.1712 jeffrey.weber@prtiviti.cm Sctt Laliberte +1.267.256.8825 sctt.laliberte@prtiviti.cm Michael Prier +1.713.314.5030 michael.prier@prtiviti.cm Jeff Sanchez +1.213.327.1433 jeffrey.sanchez@prtiviti.cm David Taylr +1.407.849.3916 david.taylr@prtiviti.cm Mark Lippman +1.571.382.7807 mark.lippman@prtiviti.cm Andrew Retrum +1.312.476.6353 andrew.retrum@prtiviti.cm Cal Slemp +1.203.905.2926 cal.slemp@prtiviti.cm Michael Walter +1.404.926.4301 michael.walter@prtiviti.cm 2016 Prtiviti Inc. An Equal Opprtunity Emplyer M/F/Disability/Veterans. Prtiviti is nt licensed r registered as a public accunting firm and des nt issue pinins n financial statements r ffer attestatin services.