New Security Guidelines Released for PCI DSS and PA-DSS
The Payment Card Industry Security Standards Council (PCI SSC) recently released updates and new guidelines for strengthening retailer data security and protecting customer payment data.
Upgrading Payment Application Security
On June 1, the PCI SSC published version 3.1 of their Payment Application Data Security Standard (PA-DSS) document to address vulnerabilities found in the Secure Sockets Layer (SSL) encryption protocol, advising organizations to upgrade to a secure version of Transport Layer Security (TLS).
This refers to upgrading payment apps and systems to a minimum of TLS 1.1 in order to protect against POODLE and BEAST browser attacks. Reported in 2014, the POODLE attack exploits a vulnerability found in the way data blocks are encrypted under a specific type of encryption algorithm within the SSL protocol. The POODLE attack forces the use of SSL 3.0, then decrypts select content within the SSL session, according to an alert from US-CERT.gov.
This attack affects most current browsers and websites, as well as any software that references a vulnerable SSL/TLS library. That means an attacker can gain access to sensitive data passed within the encrypted web session, like passwords or other authentication tokens which they can use to log into user and administrative accounts and steal data and/or wreak havoc.
Developed in 2011, the BEAST attack tool targets TLS 1.0/SSL 3.0, permitting them to inject client-side code into a victim’s browser and decrypt the HTTPS cookie, allowing the attacker to hijack a victim’s site session. This is particularly problematic for sensitive sites, such as online banking and e-commerce websites.
As a result, the PA-DSS 3.1 now updates requirements to remove SSL and early TLS1 as examples of strong cryptography. Other changes from version 3.0 to 3.1 include clarifications, such as passwords must be changed at least once every 90 days, and inactive user accounts must also be removed/disabled within 90 days. Check out a full list of the revisions (PDF).
Integrating Security Into Business As Usual
On June 5, the PCI SSC released a new document, PCI DSS Designated Entities Supplemental Validation (DESV), designed to help organizations make security part of their everyday business practice, intended to ensure PCI DSS controls are continuously monitored and applied.
The document applies to entities designated by a payment brand or acquirer as needing additional validation of PCI DSS requirements, such as those that store, process or transmit large volumes of cardholder data or those that have already gone through major or repeated breaches of cardholder data.
The guidelines include requirements around PCI DSS compliance program administration, such as:
- Ensuring accountability for maintaining PCI DSS compliance
- Defining a PCI DSS charter program
- Providing updates to executive management and board of directors on PCI DSS issues
- Defining a program and assigning roles to maintain and monitor PCI DSS compliance daily, weekly, monthly, quarterly or annually
- Identifying changing PCI DSS scope, including all in-scope networks, system components, third-party entities that have access, etc.
- Develop a process to identify and respond to failed critical security controls
- Review user accounts and access privileges every six months as job functions and employment changes
- Implementing a methodology to identify attack patterns via logs for tracking, alerting and analysis
The new security guidelines coincide with a recent report from Trustwave that found that weak remote security and passwords contribute to 94 percent of point-of-sale (PoS) breaches. To combat risks, organizations should use proper access controls, unique passwords and two-factor authentication where possible, according to Trustwave’s Threat Intelligence Manager Karl Sigler, as quoted by SecurityWeek.com.
A lot of technical staff don’t work in the office, meaning they use remote access software in order to help with technical problems or patch releases - but that can be problematic if they’re targeted by attackers looking to steal passwords and get remote unauthorized access.
Two-factor authentication prevents remote attackers seeking account access - with a mobile authentication solution, attackers can’t log into applications remotely by using just a password. A second login requires verification by a physical mobile device, owned by the user. That means your payment card data stays safe, customers are happy, and no one gets breached.
For more guidance around new data security risks, download our free eBook to get our security recommendations:
Avoiding Catastrophic Data Breaches in the Retail Industry
In this guide, you’ll learn:
- New risks to the retail industry presented by cloud, mobile and Bring Your Own Device (BYOD)
- Business and compliance drivers for strengthening authentication security
- How outdated security solutions can no longer effectively protect retailers and consumers alike
- How implementing a modern two-factor authentication solution can work to protect the new IT model
Ideal for CISOs, security, compliance and risk management officers, IT administrators and other professionals concerned with information security, this guide is for IT decision-makers that need to implement strong authentication security, as well as those evaluating two-factor authentication solutions for organizations in the retail industry.