What the 2018 PCI DSS 3.2.1 Updates Mean for Your Organization
The PCI Security Standards Council (SSC) introduced a few updates this year to the PCI DSS (PCI Data Security Standard). Although most of the updates are minor, there are issues that will impact how your organization achieves PCI compliance.
The primary goal of the PCI DSS assessment is to identify all technology and process vulnerabilities posing a risk to the security of cardholder data that is transmitted, processed, or stored by an organization. So, let’s take a look at some of the updates and diagnose how you may or may not be impacted by these changes.
The PCI DSS will continue to evolve through its major and minor updates. As a former QSA with the PCI DSS, the recommendation I have always stood by is to engage a QSA (Qualified Security Assessor) that you trust early in the compliance process and continue the collaboration for as long as it takes to achieve and maintain compliance. Finding the right QSA is much like finding the right tax advisors–while they must convey the regulations of tax laws, they are employed by you and should be on your side, giving guidance to ensure security and therefore compliance at the right cost and to achieve the benefits you need.
PCI Focused on Greater Organizational Flexibility
The current PCI SSC Chief Technology Officer, Tony Leach, discussed that the standards council is specifically looking at ways in which they can:
- Provide greater flexibility for organizations to focus on the security controls for protecting payment data.
- Recognize changes in technology, as well as data assets, that reduce risk for payment environments for all types of organizations.
Challenges exist in the interpretation of the PCI DSS controls by the PCI QSAC (Qualified Security Assessor Company). Unfortunately, every QSAC must take a companywide stance to ensure consistency among QSAs. However, each QSA is different with their own set of skills and predispositions. In other words, the biggest fear every merchant or service provider has is QSA turnover in their organization or the QSAC that services them. Why? Because it’s virtually a certainty that a new QSA will find something different (and probably immaterial) to focus on after a merchant or service provider has been PCI-compliant for years.
As far as flexibility is concerned, Mr. Leach is referring to having organizations of more diverse industries and sizes join the council. As participating organizations, they can impact how SAQs and the DSS are designed to deal with organizations that have different sets of technological needs than the more complex organizations which the DSS focuses on today.
Self-Assessment Questionnaires Are Evolving
The updated Self-Assessment Questionnaires (SAQs) include the 3.2.1 updates. These SAQs are designed for smaller organizations with a modest transactional volume, but they can be used to monitor and report on the entire PCI DSS control set. I see SAQs becoming more focused and rigorous as security controls demand even tighter conformance and reporting, even from organizations with lite transaction volumes. Technologically, I believe that the SAQs will become more web-based, making them easier to complete, submit, and be reviewed by the entity responsible for maintaining compliance validation for the merchant or service provider.
Risk and Compliance-Reducing Technology
PCI DSS 3.2.1 focuses on enabling solutions that devalue payment card data and remove the incentive for criminals to steal it. More organizations around the globe are reducing risk and PCI scope by using cloud tokenization. I think the security of PCI data—including Sensitive Authentication Data (SAD) that is used by card issuers for transaction authorization—is already complete when protected by cloud tokenization. Where security can continue to evolve is with the devaluing of other sensitive data elements being passed along with payment transactions. For example, track 1 data on the magnetic strip contains privacy data in the form of the Account Holder's name. How can this data be secured separately and securely, so the Account Holder's information is safe?
Multi-factor authentication (MFA) is now required from the compensating control for all non-console administrative access. All access to any asset that interacts with payment card data should employ multi-factor authentication. I'm surprised this hadn’t occurred already, but it shows the commitment by the PCI SSC to continue pushing a security-first mentality, rather than compliance first.
SSL and TLS Early Version Are Officially Out of Compliance
“In PCI DSS 3.2.1, Secure Sockets Layer (SSL) and early versions of Transport Layer Security (TLS) are no longer considered secure forms of encryption. It is critically important that organizations upgrade to a secure version of TLS – such as TLS v1.2 or higher – as soon as possible and disable any fallback to SSL/early TLS.” TokenEx rolled its transport protocol to TLS well in advance of the deadline to deprecate SSL and earlier forms of TLS. Again, offering a reasonable roadmap for compliance to reducing risk for merchants and service providers is essential so they can achieve and maintain compliance given scarce resources in one fashion or another by organizations.
TLS Version Implementation
The benefits of implementing the most recent version of TLS are well known at this point. First and foremost, if you are not using the latest version of TLS, your payment card data is potentially exposed–therefore your organization is at risk of a data breach and costly breach recovery activities. Additionally, if your organization is using TLS past the PCI mandated drop-dead date, your organization will be out of compliance for PCI. Last but not least, from a customer conversion standpoint, there will be lost revenue due to cart abandonment. With the ever-increasing education and awareness of consumers around secure online shopping, not using up-to-date protocols to secure website payment and personal data will hurt sales and customer acquisition.
Establishing a Formal Compliance Program
Having a PCI compliance program has been a requirement for some time. Organizations that process payments must have a formal information security program that includes PCI controls. The fact that they have now named it (12.4.1) only means a change in policy verbiage for most organizations that are PCI compliant today. From a cybersecurity posture standpoint, the overarching information security program/policy should include more stringent controls around other types of data sets. I see this change in 3.2.1 as a minor update and separation of policies – but also a significant duplication of effort for maintaining multiple policies that say the same thing.
Encryption is Encryption
As long as organizations are using encryption algorithms that are approved by the PCI SSC and implemented in the intended fashion, data should be sufficiently protected. “Should be” is the catch because encryption key management is one of the most challenging aspects of PCI compliance. Leveraging a platform based on tokenization, cloud data vaulting, and encryption management will enhance security and reduce the risk for organizations handling sensitive data.
Cryptographic Architecture – Requirement 3.5.1
According to requirement 3.5.1, organizations leveraging encryption for tokenization with Format Preserving Encryption (FPE), are required to document the cryptographic mechanisms used to generate tokens to ensure the PCI SSC has approved the specific mechanisms being employed. From my perspective, tokenization and cloud vaulting will continue to be used to alleviate PCI scope, risk, liability, and overhead as it has for years. Additionally, the use of cloud tokenization will grow as most organizations that are not yet using it will need a proven method using reliable and cost-effective technology to reduce both scope and risk. Cloud tokenization is the only technology working in the marketplace today that can holistically reduce both scope and risk for merchants and service providers. TokenEx provides documentation of tokenization mechanisms and an audit trail of encryption and tokenization. Thus, relieving the client of the burden of encryption key management
Stay Up to Date as PCI DSS Continues to Evolve
In summary, the PCI DSS continues to do an excellent job providing secure standards and guidance for the payment card industry. PCI compliance is a continuous evolution. For every organization that touches payment data, achieving compliance must be a priority to make sure you are protecting your customers’ data as well as your own reputation.
Still looking for PCI compliance help? TokenEx is the industry leader for tokenization, encryption, and data vaulting—proven solutions for attaining PCI compliance in any payment environment, anywhere in the world. Remember with TokenEx—No Data, No Theft! Follow us on Twitter and LinkedIn.
Alex Pezold is the CEO/Co-founder of TokenEx. A former Qualified Security Assessor (QSA) with the PCI Security Standards Council, Alex has developed a mindshare in the compliance and risk reduction arena. Alex has held his CISSP (Certified Information Systems Security Professional), holds CNSS Certifications, and obtained his Masters of Science in Computer Science with an emphasis in Information Security from the University of Tulsa.