Are You Ready?: New PCI Security Rules Will Require Changes

By: Giles Witherspoon-Boyd
Published: November 21st, 2014

Hopefully, you've heard that the Payment Card Industry Data Security Standard (PCI DSS) has changed... again. In November 2013, the PCI Council released PCI DSS version 3.0 and set the compliance deadline for January 2015. With only a few busy months remaining, many businesses (including franchisees) aren't even close to compliance with the new standard.

Why change the standard? Changing technologies often improve business efficiency, but aren't bulletproof to the weaknesses consistently found and exploited by hackers. New security regulations like PCI 3.0 are released to protect new technologies against recent hacking trends.

In my opinion, Requirement 4.1 is the biggest PCI 3.0 change for franchisees. Many franchises and chains use satellite communications to connect locations. According to the newest version, it's no longer acceptable to rely on the link provider's system security. Instead, it's your responsibility to encrypt satellite communications containing cardholder data so it remains secure.

If your franchisor hasn't already asked you to begin implementing PCI 3.0 changes, they (or your bank) probably will soon. Here are three themes I've seen while reviewing additions to the newest PCI standard.

1) Secure sensitive data

Security clearances aren't only for high-tech companies and weapons manufacturers. For example, restricting access to the administrative portions of POS systems or hotel management applications can lower the chance of malware entering a system. PCI 3.0 digs deep into employee restrictions to safeguard access to customer data with a handful of new requirements.

• Requirement 5.3 reminds us that anti-virus protection shouldn't be able to be altered without managerial approval. If anyone can turn it off, they could leave a business vulnerable to malware entering the system.
• Requirement 7.1.1 requires a role-based access control system. This means employee access to card data and systems should be granted only on a need-to-know basis.
• Requirement 9.3 is all about controlling physical access to sensitive areas. If an employee's job doesn't require them to have access, make sure they don't have access.

2) Review, revise, repeat

From my security experience, many breaches are caused in part by a lack of process review. Errors can easily occur because of ignorance, poor planning, lack of attention, or timing and can lead to security decay. The PCI Council definitely thought that double-checking software, processes, and devices was an important part of a secure business environment.

• Requirement 9.9.2 ensures merchants regularly examine POS devices to make sure they haven't been tampered with. This is especially important in the case of POS systems left out in the open and unattended for a lengthy period, such as gas station terminals.
• Requirement 10.6.2 states the importance of reviewing logs of all system components. Periodically reviewing logs helps determine if suspicious activity is occurring.

3) Document, document, document

Documentation is a four-letter word to most franchisees. Who wants to devote precious resources to documentation? Well, the upsides are significant. Documentation is the failsafe that keeps your hands clean, keeps your company transparent, and keeps your security efforts organized. That's probably why PCI version 3.0 has so many new requirements about documentation.

• Requirement 1.1.3 asks merchants to create a cardholder data-flow diagram to show how cardholder data enters and flows through the network.
• Requirement 2.4 requires a document that lists all "in-scope devices" and their function (this means every POS system, computer, mobile device, etc.).
• Requirement 9.9.1 is very similar to 2.4 and requires merchants to maintain an up-to-date list of all devices including physical location, serial numbers, and make/model.
• Requirement 11.1.1 asks merchants to maintain a complete list of authorized wireless access points and justify why they are needed in the business environment.
• Requirement 12.8.5 requests two lists:1) the PCI requirements your third-party service provider meets, and 2) a list of PCI requirements your business is required to meet. This requirement is an attempt to avoid miscommunication between third parties and merchants on who is responsible for which PCI requirements. In a franchisee's case, it would probably be beneficial to have a similar list explaining the security responsibilities of both you and your franchisor.

Conclusion

Even though I didn't go over every change from PCI 2.0 to PCI 3.0, I hope you can take what you've learned and begin to apply it in your security processes today. Start examining your physical devices for tampering, begin your list of wireless access points, and instigate company-wide role-based employee access. I promise you'll be more secure. Not to mention, close to compliance by the oncoming deadline.

Giles Witherspoon-Boyd, PCIP, is enterprise account manager at SecurityMetrics and assists businesses in defining their PCI DSS scope. For more information about SecurityMetrics, visit www.securitymetrics.com.

Related Stories