Ever since version 1.0 was released in December of 2004, the Payment Card Industry Data Security Standard (PCI-DSS) has been an information security staple for organizations that handle branded credit cards. Originally co-written by VISA and MasterCard, and endorsed by other leading credit card industry agencies, to define practices for protecting members against electronic fraud.
PCI applies to all entities that store, process or transmit cardholder data, including retail merchants, payment processors and banks. Failure to comply with PCI policies can result in fines and the creditor’s loss of access to the crediting agency.
While PCI has evolved over the years, it has consistently been divided into 12 requirements which each outline a different aspect of IT security best practices. These best practices include implementing strong access control measures – such as tracking, securing and auditing the use of powerful privileged accounts.
PCI-DSS Compliance and Privileged Identity Management
Historically, PCI-DSS established restrictions on user access, account separation, auditing, password strength and password reuse. Privileged Identity Management (PIM) solutions help with these control and auditing requirements.
An enterprise level PIM product automatically discovers privileged accounts throughout the cross-platform enterprise. It then provides each account with unique and frequently rotating credentials. This ensures that passwords are continuously changing, there are no shared passwords, and there are no static passwords that former employees can use to gain access – all of which are integral to PCI compliance. PIM solutions also meet the audit trail requirements of PCI by showing who had access to each privileged account, when and for what purpose.
That’s where we’ve stood until now. But now there’s a new version of the standard – PCI-DSS 3.2. Version 3.1 ended in October, forcing many organizations to begin conforming to the new 3.2 version controls.
So What’s New in PCI-DSS 3.2?
There are a number of significant changes to PCI-DSS 3.2. We’ll just take a look at new aspects of the mandate that directly affect security controls. Here are the highlights of those new requirements:
6.4.6: Ensure Security Controls Are in Place Following a Change in the Card-holder Data Environment
As things in the IT infrastructure change, security controls must change to protect the new realities of the infrastructure. A PIM product with comprehensive discovery capabilities is uniquely suited to assist with this. This type of product can make sure that as changes occur, it will see those changes and react appropriately – whether or not IT decides to inform security or compliance groups.
10.8 and 10.8.1: Service Providers Need to Detect and Report On Failures of Critical Security Control Systems
Basically these requirements mean that the control systems should allow IT to detect and respond to control failures that may expose vulnerabilities. Again, the right PIM keeps you covered here. Not only are all the components both wired to watch each other and open to monitoring by other systems through process and log level watching, there is an extensive system to notify on hundreds of discrete events from within the system.
12.11 and 12.11.1: Service Providers Must Perform Quarterly Reviews to Confirm That Personnel Are Following Security Policies and Operational Procedures
These provisions state that you must now conduct, at minimum, quarterly audits to ensure that you are in compliance. This will likely compel more organizations to automate their controls. An automated control is easy to audit. Automation is the key not only to better security, but also easier audits. This is especially true as regulators see the wisdom of double checking the controls to ensure proper application.
Security is More than Compliance
While there are some good security measures in PCI-DSS, we’re obliged to remind you of the dangers of a check box approach to cyber security. Just because you’ve met your regulatory compliance standards doesn’t necessarily mean that your environment is secure.
For example, PCI-DSS requires 90-day password changes. However, we believe that a 90-day password change schedule is much too lax. Instead, a truly secure enterprise should automatically rotate privileged credentials every few hours. Taking such an aggressive approach minimizes an intruders’ nesting time by limiting how long they can exploit a compromised credential.
Want to learn more about what’s new in PCI-DSS 3.2? Download the solution brief How Privilege Management Helps Meet PCI DSS Compliance.
If you like this topic please leave a comment below and follow us on Twitter.