PCI DSS 3.0 Draft Changes

The PCI SSC announced draft changes for PCI DSS v3.0 and PA-DSS v3.0 this week.

Whilst for most QSAs this shouldn't come as a surprise, what the standard will do is offer improved guidance for those whom are self assessing, to help ensure the intent of the standard is better understood by the merchant community.

So what's coming?

Section 1

Emphasis is proposed on ensuring network diagrams are created, and correctly show the flow of cardholder data through an infrastructure.

Section 2

Finally asset management is being brought to the table.  Knowing what your assets are, where they are and what they do is essential to any security program.  Whilst a level 1 RoC will cover this (ie if a QSA come and audits you), the self-assessment route has never been clear as to what an entity should be doing with regards to asset management.

Section3

Key management guidance will be improved.  Hopefully it will embrace industry best practice and ensure entities don't try to protect or secure public keys.  After all, they're public.

Section 5

Anti-malware has never applied to “systems not commonly affected by malware”, as a PCI DSS Control.  This has led to a spot of confusion, and often *nix machines have been left out of anti-malware solutions as administrators don't think they are commonly affected by malware.  The standard will probably go on to correctly define “system” and include guidance around anti-malware strategies for *nix.

Section 6

Is due for a BIG revamp, as the OWASP Top 10 2008 is kind of history now and needs updating.  The standard will most likely draw from a wider range of best practices and not just OWASP.

Section 8

Technology has involved, and that includes biometrics and systems that don't need passwords.  The standard will adapt to support other authentication mechanisms.

Section 9

An interesting move here, to ensure POS terminals are protected from tampering or substitution.  That basically means locking them down to the till, or using PTS / UKPA approved PEDs that are implicitly tamper proof.  If your POS or PED is not physically locked down to a desk, then this control will likely affect you. Application/service account passwords will be treated the same as user passwords, and must adhere to password management principles as with standard user accounts.  Split knowledge / dual-control can be used to help here, if you don't feel like changing service account passwords on a regular basis.

Section 11

Much needed guidance will be included as to how to effectively scope a penetration test, most likely tied to asset management guidance in section 2 and network diagrams in section 1.  This will help put some regulation upon the penetration test companies themselves, to ensure tests are conducted correctly and on the full scope, including physical, people, network, VoIP and application testing.

Section 12

As you know, we're busy working on the 3rd Party Security Assurance SIG that 2-sec proposed last year at the community meetings, and have some reasonable ideas about what we are going to see.  At minimum, we expect PCI DSS Controls to be correctly mapped, showing whether the entity and/or the service provider is responsible for maintaining certain PCI DSS Controls, and ensuring a list of “outsourced” controls is maintained. Daily operating security procedures will be enhanced and include further details as to what operational checks the DSS intends.  This will include improved guidance on event logging, and enable entities to take a risk-based approach to daily log reviews.

A few general improvements will no doubt be made, to help ensure PCI DSS becomes Business As Usual. Ambiguous controls will be tidied up, and instructions more prescriptive so self-assessed entities know exactly what to do to achieve, and maintain compliance.

More information can be found here – https://www.pcisecuritystandards.org/documents/DSS_and_PA-DSS_Change_Highlights.pdf

For those that adhere to PCI DSS and take in reasonably seriously, the changes will not be a problem, but for those that pay PCI DSS lip service and use a tick-in-the-box mentality, the net will slowly close around you, and there will be very limited wiggle room.  The standards will change, as will all self assessment documentation, to make it somewhat clearer as to what the payment industry expects from you.

2-sec are running a PCI DSS v3.0 update day on the 23rd October – further details may be found here – https://twosecstaging2.wpengine.com/pci-dss-v3-0-update-training/