PCI DSS 3.2 - Top 3 Issues¶

The Payment Card Industry Data Security Standard (PCI DSS) is a framework developed by the PCI Security Council, an organisation established by credit card scheme companies in collaboration with financial institutions, retailers, and professional service providers.

Security professionals have long advocated for stronger security measures, emphasising best practices. Now, there is a clear business case for adopting these well-established principles, and organisations must allocate budgets (CAPEX and OPEX) to implement and sustain compliance programmes. PCI DSS is here to stay and will likely introduce additional security controls in the future.

PCI DSS Objectives and Requirements¶

PCI DSS consists of six objectives, detailed in 12 requirements:

Build and Maintain a Secure Network¶

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data¶

Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Programme¶

Requirement 5: Use and regularly update anti-virus software.
Requirement 6: Develop and maintain secure systems and applications.

Implement Strong Access Control Measures¶

Requirement 7: Restrict access to cardholder data on a need-to-know basis.
Requirement 8: Assign a unique ID to each person with computer access.
Requirement 9: Restrict physical access to cardholder data.

Regularly Monitor and Test Networks¶

Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.

Maintain an Information Security Policy¶

Requirement 12: Maintain a policy that addresses information security.

Quick Assessment¶

While compliance with all PCI DSS requirements is mandatory, some are more challenging to implement and have a greater impact on overall security. Below is a brief assessment of each requirement before a deeper dive into the top three most difficult to address.

Requirement 1: Install and maintain a firewall configuration to protect cardholder data¶

Most organisations already have firewalls protecting their internal systems from internet-based attacks. However, internal network segmentation is less common, and organisations may struggle with this aspect of compliance, along with documentation requirements. On average, organisations may achieve approximately 50% compliance with this requirement.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security settings¶

This should be an easy requirement to meet, but it is often overlooked. It covers system hardening, secure administrator access, and securing wireless networks. Organisations with legacy systems may have limited options for compliance.

Requirement 3: Protect stored cardholder data¶

This is one of the most challenging requirements. Unless an organisation operates modern systems, it will struggle to comply. The best approach is to minimise or eliminate cardholder data storage. The average organisation may only achieve 10% compliance with this requirement.

Requirement 4: Encrypt transmission of cardholder data across open, public networks¶

This requirement appears straightforward, but legacy applications may not support encryption. Retailers using older wireless devices may need to upgrade their technology.

Requirement 5: Use and regularly update anti-virus software¶

Most organisations deploy anti-virus software, but proper installation, configuration, and management are crucial. The average compliance rate is around 80%.

Requirement 6: Develop and maintain secure systems and applications¶

Some requirements under this section are easy to implement, while others, such as network segmentation between development, testing, and production environments, pose challenges. Change management is generally well-established, but vulnerability management remains an issue. Estimated compliance is around 40%.

Requirement 7: Restrict access to cardholder data based on business need-to-know¶

This is primarily a process-driven requirement. While management may perceive it as straightforward, it can require significant process redesign. Estimated compliance is around 50%.

Requirement 8: Assign a unique ID to each person with computer access¶

Legacy systems present the biggest challenge, particularly for banks and retailers. Modern identity management solutions, such as Single Sign-On (SSO), can simplify compliance.

Requirement 9: Restrict physical access to cardholder data¶

Information security measures are ineffective if physical security is inadequate. While data centres are generally compliant, securing other areas can be difficult. Estimated compliance is around 20%, but this requirement is relatively easy and inexpensive to address.

Requirement 10: Track and monitor all access to network resources and cardholder data¶

Logging is straightforward, but analysing logs effectively is more difficult. Organisations are approximately 60% compliant with this requirement.

Requirement 11: Regularly test security systems and processes¶

This is one of the most challenging and costly requirements, primarily as an ongoing operational expense (OPEX). Many organisations conduct external security testing but neglect internal testing. Network Intrusion Detection/Prevention Systems (IDS/IPS) and file integrity monitoring tools are expensive. Companies like Qualys benefit from this requirement.

Requirement 12: Maintain a policy that addresses information security¶

Many organisations lack an Information Security Policy aligned with ISO 27001. Ensuring policies are approved by management and effectively communicated requires cross-functional collaboration. Service providers that process cardholder data must also comply.

Top 3 Hardest to Fix Requirements¶

Requirement 3: Protect stored cardholder data¶

A typical online system consists of: * Web server * Application server * Database server

If any component logs cardholder data, it must be encrypted. Encryption can be handled at the application or database level, and organisations should assess the most appropriate approach. Commercial solutions for secure storage exist.

Key management is another challenge. Encryption is ineffective if keys are weak or poorly protected. Key management solutions can help mitigate this risk.

Additionally, organisations should consolidate credit card data into a single, highly secure repository (a "vault") rather than maintaining multiple data stores, which are difficult and costly to secure.

Organisations must also review offline processes. For example, if a call centre system is unavailable, do agents record cardholder details on paper? Process adjustments may be necessary for compliance.

Requirement 6: Develop and maintain secure systems and applications¶

Patch management is crucial but often delayed due to testing and competing priorities. Some patches require application modifications, further complicating timely updates.

Segregation of development, test, and production environments is another challenge. While SOX mandates logical segregation (e.g., developers and testers cannot access production systems), PCI DSS requires additional network and system-level segregation.

Web Application Firewalls (WAFs) are a newer security measure that may be integrated into existing firewalls. However, like all security tools, they require proper configuration, testing, and maintenance.

Requirement 11: Regularly test security systems and processes¶

Security testing should be an ongoing activity rather than a one-time project. Regular penetration testing, vulnerability scanning, and network monitoring require dedicated internal or external resources.

Network Intrusion Detection/Prevention Systems (IDS/IPS) must be strategically placed to monitor key network segments, such as: * Internet zone * DMZ (Web server) * Application server zone * Database server zone

Conclusion¶

Security professionals have long called for better security practices. Now, businesses must invest in well-established best practices to achieve and maintain PCI DSS compliance. Compliance is an ongoing effort, requiring both CAPEX and OPEX investments. PCI DSS is not going away and will likely continue evolving to include additional security controls.