The standard now requires an annual risk assessment upon significant changes to a cardholder's data environment, said Pat Harbauer, a senior security consultant and PCI expert for Neohapsis, a Chicago-based mobile and cloud security services provider. Organizations also must provide a penetration testing methodology, outlining how an assessment was undertaken. Organizations shouldn't be relying on an automated vulnerability scan to fulfill a pen testing requirement, Harbauer said.
"There still seems to be a lot of confusion around the difference between a vulnerability scan and a pen test," Harbauer told CRN. "There's a manual component to a pen test, and it should be a part of every organization's change management plan."
The standard now clearly delineates that service providers need separate authentication credentials for remote access to clients. The wording was added to the document following several breaches that stemmed from an attack against a third-party service provider that used the same password for remote access to its clients. The attacker gained access to the password, giving them carte blanche to hundreds of customers and, ultimately, an easy way to steal hundreds of thousands of credit cards. The issue highlights the problem of poor password management and is a violation of a basic security safeguards that all businesses should follow, said Troy Leach, chief technology officer of the PCI SSC.
"Security is a shared responsibility not only within your own company but with the partners that you are working with," Leach told CRN. "Our intent with this latest version is to make sure that these merchants are well aware of the fact that just because they outsource this stuff, their responsibility doesn't end."
In addition, the updated document indicates that point-of-sale systems are now within the scope of assessment. A qualified security assessor must ensure the devices are tamper proof and that the data they pull in is properly encrypted. Employees must receive security awareness training, and the systems must be periodically inspected for tampering. The standard also addresses the handling of primary account number and sensitive authentication data in system memory. Processes need to be in place to effectively clear system memory.
In the past, point-of-sale terminal security was implied, said Rodolphe Simonetti, managing director of payment card industry services at Verizon. Simonetti said the PCI council has given merchants a lengthy period of time within which to voice their opinion about the changes. The timeline before merchants must fully meet the requirements also takes into account how long it takes to implement system changes, he said.
"They understand it is not possible to change an IT environment in a couple of weeks or months, so the roll out of this is aligned with reality," Simonetti told CRN.
PUBLISHED NOV. 7, 2013