It may not seem like it yet, but the New Year will be upon us before we know it. And as the lights of 2014 are switched off, so the world says goodbye to PCI DSS version 2. Is your business ready for the change?
New year, new standard
PCI v3.0, which was released in November 2013, will become mandatory as of 1st January 2015. Until now you had the option to achieve your compliance in either version of the PCI standard, and a few unaware businesses who gained compliance in v2 risk getting caught out. The step from v2 to v3 sees some significant differences:
- Evolution of existing requirements
- Introduction of a few more requirements
- Clarifications to existing requirements that were previously open to interpretation
The new framework is evolutionary rather than revolutionary, but it’s certainly mature 1, and not a lot of new requirements were expected. Supplementary materials are often released to provide guidelines and we soon expect a new guideline for log reviews to be released, hopefully clarifying some inconsistencies of the standard. All these guidelines and requirements were best practices and then formalised and pushed to everyone to adopt. What is really beneficial from my point of view is the direction version 3 of the PCI standard has taken: it has remained flexible enough to be driven by an organisation’s current risks and assessments. People and organisations are typically poor at understanding risks, even when we experience them in our day-to-day lives. PCI makes the risk management process simple. Why is this important? Good risk management can sustain your business in the market, whilst a bad or non-existent risk management can remove it from the market. It is as simple as that.
Personal security highlights
Penetration testing is now essential for all in-scope assets under v3. Think of all the hard work you put in to segregate, configure, harden, patch (and so on) your network infrastructure. Now imagine you can be still penetrated thanks to a silly human-error misconfiguration on your firewall. Well, no more: penetration must be done at least once a year and upon significant changes to your technology/environment. Testing is the best exercise of proving that your systems provide a sufficient level of security. Another thing that I really like is the due diligence that’s being exercised to the service providers and third-parties that provide any sort of service to your card data environment. You’ve probably heard a fair few people saying they’ve outsourced their website’s payment application, or even the whole development of their website, to a third-party development company. PCI compliance is mandatory for the aforementioned service providers, with important security questions asked and answered that mean the likelihood of a breach is lowered. Who are the people that manage your environment? How do they connect to the environment? How have they proved segmentation? How is everything monitored and controlled?
The here and now
People often ask me for advice in integrating PCI into business-as-usual practices. After all, once PCI requirements are integrated into operations, you’ll find maintaining on-going compliance an easy, natural part of your business function. The following steps outline an “in a nutshell” approach; when implemented you’ll need to drill down according to your organisation’s nature, risks and requirement applicability.
- Form a PCI DSS Steering Group. Make sure you’ve got all relevant employees in the loop and everything is being communicated effectively between different teams.
- Train your employees for their roles and responsibilities. Make sure they get continuous training on PCI and on current security trends in general. People who get half an hour of training per year are people who are not adequately security trained. Such box-ticking is not just a waste of your time and resources: it also leaves your organisation vulnerable.
- Assess the risks to your out-of-scope items as well as your in-scope ones. It is important to know the risks in all parts of your business and what/when/how will you do something about them.
- Put the necessary security controls in place and monitor them. This will take time to be set in place correctly. Try to go beyond PCI compliance controls: the more in depth you go, the more secure you will be.
- Be able to identify and respond to people, processes and technology failures or pitfalls. This again comes down to awareness and training of your employees and efficient inter and intra-team communication.
- Identify and understand any changes to your environment. The scope must be updated and the aforementioned controls should take into consideration the new people and assets.
- Review the outcome of the aforementioned controls and improve! Nothing is perfect and there is always a way of improvement.
Back to the future
As mentioned above, the new PCI DSS standard is an evolution on what’s come before. It is very welcome, but it is not bullet-proof. The key to good security is to always think of it as just the bare minimum and not the finish line, because, as I’ve discussed in previous blogs, compliance does not necessarily mean security. 2015 will undoubtedly bring new challenges and we must all be ready to face them: by being pro-active and re-active at the same time. Invest in your people, processes and technology and not on ticking boxes.
1PCI celebrated its 10th birthday in 2014.