PCI DSS Prioritized Approach v2.0
Version 2.0 of the Prioritized Approach has been released and is available for download at www.pcisecuritystandards.org.
So what’s moved?
A number of controls have been moved from milestones 5/6 to milestones 2/4:
9.1 – Physical Access
10.5 – Audit Trail Integrity
11.1 – Wireless Scans
12.5.3 / 12.9 – Incident Response Plan
11.3 – Penetration Testing
12.1.2 – Risk Assessment
Why were things changed?
According to the council, it was to “reflect the evolving risk environment, and to align requirements with milestone control areas”.
So after years in the making the council have now decided that Incident Response Planning, Penetration Testing and Risk Assessments are actually quite important and shouldn’t have been de-prioritized in the first place.
These are hardly “evolving risk environments” – they’re the mainstay of any information security governance framework and this side step is evidently a corrective step to put proper security governance back into the Merchant PCI DSS Compliance program.
Too much, too little, too late?
As breaches are still on the rise then any positive move like this will do card security a world of good. When Visa first passed their idea of ensuring milestones 1 to 4 should be validated for safe harbour, the whole world all of a sudden forgot about milestones 5 and 6, so this is clearly an attempt to pull back important controls in those sections and bring them back into milestones 1 to 4.
How will it affect me?
If you are a Merchant and PCI DSS Compliance is on your radar, the validation requirements for you to meet the new milestones 1-4 to either be granted safe harbour, or noted compliant by Visa’s TIP program will now mean more work.
For some Merchants this will present a significant change and it is important that these changes are reviewed to work out what they mean for you and how to properly adopt them.
CCTV or badge/key systems that can be monitored are required to protect sensitive areas. A lock and key is inadequate unless an independent individual can sign-out and sign-in keys (a process that has never been proven to me in audits).
In addition, physical access to publicly accessible network jacks and/or any in scope equipment attached to them should be restricted.
As this is now milestone 2, there are potential non-compliance/progression fines attached should a Merchant not be able to demonstrate adherence.
Audit Trail Integrity
How do you know your log files haven’t been tampered with, and if they are tampered with, what were the changes and how do you restore integrity?
In a heterogeneous environment with lots of different flavours of lots of different things, this is unlikely to be achieved without using specific Security Event Management software or appliances.
Both authorized and unauthorized users must be monitored – that includes sysadmin accounts, which does imply that another level of ‘security monitoring user’ should be inserted above standard user and sysadmin roles.
Merchants breathed a HUGE sigh of relief when Visa announced it’s Technology Innovation Program (TIP), that effectively put store-level wireless scans off the radar for large merchants. Unfortunately, they’re back, but fortunately the whole industry understands this a little better and a combination of scans, physical inspection, logical inspection (ie looking for switch ports up/down on managed switches), NAC and WIPS can be used to meet this requirement.
Better still – expand this to ensure that ANY unauthorized device is detected, not just wireless access points, and you’ll be on the right track and have something you can use once PCI DSS has gone away.
Incident Response Plan
Being a milestone 6 and the last thing on a ROC a QSA has to tick before he/she goes home, not much attention was previously paid. Now firmly wedged in the middle of the standard it’s going to be hard to avoid.
What I would be looking for is an IRP that WORKS and has been TESTED.
Whilst a few years ago us QSAs would just tick the box having seen a bit of paper with Incident Response Plan written on it, expect far more scrutiny. It must be FUNCTIONAL and not a copy / paste of the guides available from the card schemes.
What fails most audits are penetration tests that have not been scoped properly and fail to take into account the entire social, physical, network and application architecture that comprises scope.
This now has moved to milestone 2 and must be completed and maintained to avoid any non-compliance penalties from Visa Europe.
The ante has been upped and Merchants do need to think about doing these properly and/or engaging a security testing firm with the right attitude and experience.
Penetration testing as many of you will know, is not a regulated industry. There are no defined standards or methodology one must follow for a PCI DSS Penetration Test and this has always scared me.
The majority of pen tests flying around seem to be network orientated and results look very familiar to the output of automated tools.
A Penetration Test based on automated tool output is NOT sufficient for a PCI DSS Audit. They must be manually scoped, enumerated and no stone left unturned. If someone tells you they can do one in a day, they’re either lying, or are going to issue a report that does not make the grade.
A passing penetration test is a page or two from an experienced security tester that defines scope, tools/methodology used and issues an all clear.
A 300 page report presented to a QSA is a guaranteed fail.
A report that doesn’t focus on card data is a guaranteed fail.
A report put together by somebody not experienced in doing security testing is a fail.
Point is – think about doing these properly. Don’t leave them to the end of the year (as most will find problems) and look at running at least 2 or 3 during the year to give you ample opportunity to remedy findings.
Lastly, a penetration test should be based on a scope that a QSA/ISA provides and not be put together by the testing firm or indeed internal merchant resources whom are not scope-aware.
I am glad that this control has finally moved forward, but am concerned that this ‘information security governance’ control has been thrown into the ‘data security world’ of retailers.
What is a Risk Assessment? How is it done? How thorough must it be for an audit?
Well, they’re a bit of an art form to say the least (each security professional has his or her own way of doing these), but what I would be looking for as a QSA is a Risk Assessment, involving KEY stakeholders (and not just sysadmins) that takes a holistic view of incidents that have happened over the past year (both to the audited entity and other entities) that results in a revised security strategy for the next year moving forward.
The Risk Assessment workshop should be fully minuted and result in a plan.
Things in the security world change at a rapid pace. A plan that just says “we’re OK, there are no new threats that can affect us” is a fail, as again, either someone’s lying or it hasn’t been done properly.
This is a long blog post
Sorry. I’ll stop there, but hope you get the point and have enjoyed reading!
On a final point, Visa’s TIP is effective from 30th April 2011. The Prioritized Approach v2.0 is effective from 30th April 2011. Thinking PCI SSC? Think Visa… as they evidently have a strong influence on what’s been pushed out.