Organisations seeking to obtain or maintain PCI DSS compliance need to be aware of some important changes to control requirements that are either imminent or due later this year. These should not catch anyone by surprise as they have been forward dated in the latest standard, v3.2 since April 2016. However, with attention focused on the GDPR as the enforcement deadline approaches, they may have been overlooked?
What are the changes to the Standard?
From 1 February 2018 the following come into effect for merchants and service providers:
6.4.6 After a significant change all relevant PCI DSS requirements should be implemented on the new or changed systems and networks and documentation updated. ‘A significant change’ is not defined but might reasonably be taken to mean any change that might affect compliance with a PCI DSS requirement. In practice this will require a new step in change control to explicitly consider whether a change affects any PCI DSS requirements and to ensure that any such requirements are met. It is already a requirement to carry out vulnerability scanning, penetration testing and to update risk assessment after any significant change.
8.3.1 Multi-factor authentication (MFA) is required for non-console access to in-scope components for personnel with administrative level access. Prior to this MFA has only been required for remote access.
From 1 February 2018 the following come into effect for service providers only:
3.5.1 Service providers storing encrypted card data must maintain a documented description of the cryptographic architecture.
10.8 Implement a process for timely detection and reporting of failures of critical security control systems.
10.8.1 Respond to any such failures in a timely manner.
126.96.36.199 Where relying on network segmentation to reduce scope, test the segmentation controls every six months. Note that this does not mean that the controls must have been tested in the six months prior to 1 February 2018 but the process should be in place at this date and a test will be needed before 1 August 2018.
12.4.1 Establish a formal PCI DSS compliance programme. This requires a ‘charter’ for PCI DSS compliance and formal management accountability.
12.11 Perform quarterly review to ensure security policies and procedures are being applied. This does not mean re-performing the PCI DSS assessment but it does require a formal and documented check that all regular control actions such as daily log reviews, responding to alerts, applying secure configurations and all the time defined controls such as quarterly ASV scans are happening.
12.11.1 Maintain documentation of above quarterly review process to include:
• Documenting results of the reviews
• Review and sign off of results by personnel assigned responsibility for the PCI DSS compliance programme.
From 1 July 2018 migration from SSL and early TLS should be complete. SSL/early TLS can no longer be used on Online and E-commerce environments, except for payment terminals and the SSL/TLS termination points to which they connect that can be verified as not being susceptible to any known exploits for SSL and early TLS.
Such POIs and their termination points must have up-to-date patches, and ensure only the necessary extensions are enabled. For example, it is not a PCI DSS requirement to encrypt card data being transmitted through the internal network so if SSL was being used for this there would be no need to upgrade to TLS 1.2.
Additionally, use of weak cipher suites or unapproved algorithms – e.g., RC4, MD5, and others – is not allowed.
PCI DSS requirements directly affected by this change are:
2.2.3 Implement additional security features for any required services, protocols, or daemons that are considered to be insecure.
2.3 Encrypt all non-console administrative access using strong cryptography.
4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.
What should you do next?
We are only summarising the requirements here. Organisations should check the standard to see the full detail and the evidence that they will need for their QSA. Some of these requirements may not apply to all merchants and service providers where the scope for PCI DSS is very limited. 7Safe would be pleased to advise and support your organisation in achieving and maintaining compliance.
To speak to a PA & 7Safe Consultant and QSA, contact our sales team on +44 (0)1763 285 510
Visit our website for more information: https://www.7safe.com/risk-and-compliance