Security

Changes to PCI

Leave a comment

Discussion has been long underway regarding changes for the PCI DSS. It gets a refresh every two years and October 2008 was the last release (version 1.2). Here are two examples of what to expect this coming October:

1) Some have suggested that segmentation will be clarified. I suspect this will not be a significant update.

The problem with segmentation is not that it is difficult to do or understand. The problem has been that some assessors have made mistakes. A firm that shall remain nameless has tried to argue that Active Directory alone, for example, would constitute adequate access control for segmentation. A QSA should know this is not true.

Those responsible for the compliance language simply have to make it clear now that things like directory authentication are not sufficient alone for proper segmentation. Clarification or education of what we already (should) know is necessary but still a minor update. We will continue to do things the way we have been doing them, while some may be caught up to where they should have been.

2) Data discovery changes in October will be more significant.

A hint of what to expect can be found in the April 20, 2010 Visa Security Bulletin: Cardholder Data Security Best Practices for Visanet Processors. Companies who want to be PCI compliant need to be able to find all cardholder data within their storage, processing and network environments. This will become even more strict in that tools to scan and find the data will almost certainly be required. The card brands have always emphasized this but they are about to push the point even harder. Here is an extract of the Visa language that should be considered today:

Create a data matrix detailing all of the business lines and processes that handle cardholder data. Explain the need for such data and note whether the data is being stored, processed and/or transmitted.

Specify all of the resources (including networks, systems, applications, databases, services, components and users) for each business line and process that have access to card data and explain the need for that access.

Adopt data loss prevention (DLP) solutions to actively locate card data in real time across the organization’s resources (including networks, systems, applications, databases and components). Some DLP solutions can alert designated individuals when unauthorized and unprotected card data storage is found, and prevent attempted, unauthorized transmission of card data out of the cardholder data environment.

We are thus already talking with customers about solutions to monitor and find cardholder data in real time and then quickly establish whether it is outside authorized business processes.

The change is significant because few if any organizations have a truly comprehensive grasp of all cardholder data in their environments. This will have to change for compliance.

The change is also significant because the tools to automate the tasks required to give them a grasp do not yet work well enough to be production quality. This also will probably change for compliance. Run spider a few times and you will most likely find yourself resorting back to manual review of directories.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.