The Payment Card Industry (PCI) recently made adjustments to their Data Security Standards (DSS) 2.0 guidelines. These modifications came into effect at the end of June 2012, impacting the security of customer card information and network design. This article takes a look at the essentials of the changes.
Another look at the PCI-DSS 2.0
The PCI DSS released version 2.0, the most recent version of the standard, in October 2010. The vast majority of the changes in this version of the standard are quite minor. The most significant change in this version is the requirement for assessed entities to have the appropriate procedures and documentation in place to demonstrate where cardholder data is (and is not) located.
Previously, most PCI assessments reviewed the known cardholder data flows. While providing as much detail as possible about known cardholder data flows is essential, the PCI Council is asking for something more. Companies are actually required to do something in order to demonstrate where there is no cardholder data. Simply understanding where cardholder data should be is not sufficient; now, companies need to demonstrate that they know where it could not be.
Framework for Cardholder Data Discovery
Cardholder data flows and ecosystems differ quite a bit from company to company. However, the generic cardholder data discovery methodology outlined below provides a common starting point for many companies.
- Identify in-scope entities and determine if there is any cardholder data present. In-scope entities refer to any systems, applications, databases and people who have access to cardholder data.
There are a number of ways to collect the information needed. This may include:
- Reviewing data flow diagrams. This is similar to the activities described in PCI DSS version 1.2. The information uncovered through this process can then be used to determine which individuals should be considered “in-scope,” and then move forward into additional information gathering.
- Interviews. Once known cardholder data flows have been documented, interviews should be conducted with people who use the cardholder data; administer the cardholder data; or who have administrative access to cardholder data. Interviews are an excellent way to determine if scope can be reduced if the cardholder data is not really necessary. Often, it’s the people who use the cardholder data that are able to assist the most in finding out where it is actually stored.
- Penetration testing. Some companies use penetration testing in order to demonstrate that there are no covert channels, application weaknesses, network architectural flaws, or other means, to show that this sensitive data is protected appropriately.
- Forensics analysis. This can help define the scope by carrying out close assessment. Some companies do this to show that there is no logical means of cardholder data inadvertently spilling over to a system, application or log file.
What do the changes mean?
According to Alex Quitter, director of PCI at Qualys, “This is an evolution of the requirements. You need to show a process for risk rankings.” What it means is obtaining information about known vulnerabilities from publicly-available sources, whether this is vendor security alerts or elsewhere. From there, risks should be prioritized to the organization’s network as they relate to protecting PCI data. Risks should be prioritized as high, medium or low.
The modifications to the standard place an added emphasis on vulnerability risk rating, which means that the PCI DSS rule is far more stringent in terms of language regarding scanning requirements. It now requires organizations to show proof of passing an internal vulnerability assessment.
Such assessments must be completed on a quarterly basis, and after any significant changes in the company. They must be performed by a qualified party. They must also show a “passing result,” which means that any high vulnerabilities to internal networks must be resolved.
This article takes a look at recent changes to the Payment Card Industry Data Security Standards (PCI-DSS) version 2.0. The changes affect risk rankings, vulnerabilities and demonstrating cardholder data flows. This article outlines the changes and also offers a methodology for cardholder data discovery.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:
- Data security – credit card information & PCI DSS Applications (I.D.b.ii.)
- Data governance – industry consortia security frameworks; PCI DSS (V.A.c.i.)