The PCI Data Security Standard version 3.2 released Thursday not only includes new requirements to safeguard payment data, including multifactor authentication, but also “advocates that organizations focus on people, process and policy, with technology playing an important role in reducing the overall cardholder data footprint,” PCI Security Standards Council General Manager Stephen Orfei said in a release.
The council’s chief technology officer (CTO), Troy Leach, said the time has come for multifactor authentication, which the updated standard requires of anyone that has administrative access to card data.
“Previously this requirement applied only to remote access from untrusted networks. A password alone should not be enough to verify the administrator’s identity and grant access to sensitive information,” Leach said in the release. “Additionally, service providers, specifically those that aggregate large amounts of card data, continue to be at risk.”
The latest version of the maturing standard “includes a number of updates to help these entities demonstrate that good security practices are active and effective,” he said.
Among the changes, are revised Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) sunset dates outlined in the Bulletin on Migrating from SSL and Early TLS as well as additional security validation steps for providers that rolls in previously separate “Designated Entities Supplemental Validation” (DESV) criteria.
Last spring’s out-of-band PCI DSS version 3.1 release gave organizations a 14-month transition period to move away from SSL and early TLS, which have been in use for years and assumed secure until browser attacks like POODLE and BEAST took advantage of vulnerabilities in SSL.
“The most critical aspect of PCI DSS version 3.2 is the solidified migration away from SSL and early TLS, which have been in use for years and assumed secure until more recent high-profile vulnerabilities were discovered (i.e. POODLE),” Michael Petitti, senior vice president of global alliances at Trustwave, said. “In fact, both are still quite a bit in use and will require a shift in the market for a complete migration over the next two years and beyond.”
Petitti added that “the two-factor authentication (2FA) for admins of Cardholder Data Environments (CDE) is pretty big, as well as the update to the standard tacitly acknowledging internal threats.”
And Chris Strand, senior director of compliance – IT governance, risk, and security audit programs at Carbon Black, noted that “many of the changes enforce the need to prove continuous control over device and asset configurations including the applications within their Card Data Environment (CDE) and endpoints.”
Since “service provides are also being pulled into the mix more so than in previous versions of PCI in terms of liability and accountability,” Strand said, “merchants now need to prove and ensure that controls are effectively in place following ANY change in the card data environment. They must also ensure that applications are being monitored consistently and prove that what is defined as CDE is truly CDE.”
The new release will help “PCI DSS bridging more industries as it becomes a baseline standard for measuring security posture,” he explained. “For example, many healthcare organizations have PCI implications, and if they were to put these new measurements in place, they would be well-positioned to effectively measure their healthcare regulation posture and, more importantly, defend against the onslaught of ransomware attacks currently occurring.”
But, the anticipated changes to PCI DSS didn’t meet expectations for many security pros. They fell “far short of actually improving the security of cardholder data,” Brian NeSmith, Arctic Wolf CEO and co-founder, said in comments sent to SCMagazine.com. “History has proven that this rear view mirror approach to security – focusing on protecting the assets alone does not meaningfully improve security. By the time you see it, it’s too late; it’s already happened. What the industry really needs is to improve its threat detection and response capabilities in order to catch the bad guys before the damage is done.”
Billy Austin, vice president of security at MAX Risk Intelligence by LOGICnow, echoed that criticism, saying that despite a “fairly lengthy set of requirements,” version 3.2 doesn’t adequately address the threats that the industry faces.
“Attackers are successful for numerous reasons, although at the end of the day, they are focused on systems outside of these ‘PCI DSS’ controlled zones,” he said in a statement. “The two most popular attacks are extortion and exfiltration. Extortion is the means of coercing one to pay for compromised data while exfiltration is the means of extracting data in an unauthorized manner.”
Not only do “data thieves have access to a plethora of automated black market attack code,” he said, “what’s frightening is they are using old techniques to proliferate systems and most are ‘compliant’ organizations.”
Strand said PCI has “plenty left” to tackle – “from individual updates to requirements that fit with new paradigms, to major theme changes.”
The elements are musts “to allow effective coverage against the growing threats targeting CDE,” he said, contending that “PCI is under a gradual paradigm change that started before the 3.0 release, further asserting the standard as a baseline and requiring more tuning.”