The eagerly anticipated update to the global Payment Card Industry Data Security Standard (PCI DSS) has been released today, Thursday April 28th 2016. This update to the standard has been much discussed in online info security forums and at the PCI events this year. As we already know, the reason for publishing the standard early (it was scheduled for its usual October Release) was so that the revised timescales for the removal of SSL and TLS 1.0 could be included but what else is in store?
Well, as we know, the PCI DSS is considered to be a mature standard now, so it is unlikely that we will see radical changes to the contents and requirements. For those of you familiar with “Moores Law”, (https://en.wikipedia.org/wiki/Moore%27s_law ), the weakening of security ciphers is predictable, as computing power increases. This has resulted in the weakening of SSL as a means of encryption, and the development of more complex cryptographic protocols. SSL went through 3 basic versions, culminating in SSL 3.0, which was then developed into TLS 1.0. This version of TLS is also vulnerable to attack as it has the inherent ability to be downgraded to SSL 3.0, thanks to its close relationship with that protocol, hence why TLS 1.1 is the current starting point. So, enough of the cryptography lesson, what else has changed?
As technologies move on, the standards have to try to keep pace and this is reflected in some of the changes to the terminology used in the PCI DSS. “2 Factor Authentication” is now replaced with “Multi Factor Authentication”, for administrators accessing the CDE either from internal devices or remotely. That is probably one of the most significant changes for those in scope for a full PCI assessment.
Some further clarification around when PAN should be masked when displayed has also been included along with a completely new appendix aimed at service providers who process payment card data in bulk. It seems that this section will be completed upon request by either a card scheme or an acquirer, so it may take a while for this to filter through, depending on the speed at which the various industry bodies decide to act.
This new section is entitled the “Designated Entities Supplemental Validation (DESV) criteria for service providers”, which details some very sensible ‘business as usual’ activities for these companies. These new validation requirements range from ensuring Board accountability for the PCI environment and ensuring the scope of the secure environment is accurately documented to providing annual PCI DSS training and implementing a regular data discovery program. Each of the validation statements is neatly linked back to the related PCI requirement. The Data discovery program is linked back to the original “Scoping of the PCI DSS environment”, and rightly so as this was often overlooked by many in the industry.
So, in short, the new version of the standard is out now and is available for download from the PCI SSC portal. Is it ground-breaking? No, probably not but with the standard being as robust as it was already, these changes do hit the mark very well.