In Part One of our two-part series on the vital points of failure you need to address immediately for PCI DSS compliance, we introduced you to a few of the changes that versions 3.1 and 3.2 of the PCI DSS require. In Part Two, we’ll tell you about five additional points of failure that could turn an audit into the disaster of non-compliance.
As we explained in Part One of this series, in April 2016, the PCI Security Standards Council issued a new set of standards (PCI DSS version 3.2) to try and close some of the gaps in compliance. However, many merchants and payment services providers still have not yet upgraded to the previous version (PCI DSS v. 3.1) which now expires on October 31, 2016.
While there are a lot of ‘how to’ guides out there, the PCI DSS continues to change rapidly to keep up with the changing security landscape. Issued last year, Version 3.1 initially gave businesses until June 30, 2016, to implement the new changes. At the end of 2015, the Council extended the deadline for full compliance to February of 2018, to give businesses the opportunity to implement the changes required by v3.1 and anticipated in v3.2.
PCI DSS v3.2 requires even more stringent and on-going efforts to remain in compliance. Recent studies show that as many as 1-in-5 merchants covered by the standards are out of compliance and would fail an audit. And, failing an audit can have severe consequences. Fines, legal liability, and even the loss of the ability to accept credit cards are on the line—a likely death sentence for most businesses accepting credit cards and ATM/Debit cards. Moreover, if failing to comply with the controls laid out by the PCI DSS results in a breach, the consequences can be catastrophic. Even surviving a serious breach can have an enormous reputational impact for the company.
The following are five additional points of failure you must address to maintain PCI DSS compliance and, as importantly, to protect the sensitive data you store and transmit.
- Insufficient or Non-Existent Encryption
The PCI DSS requires that all of your customers’ confidential data is encrypted at all times, which means both in-transit and at-rest. It’s the “at-rest” part that most businesses fail to do properly, and as a result, fail a compliance audit.
You might think you’ve done enough by encrypting the data when it’s transmitted over the wire. However, that’s only one part of the encryption mandate. You must also address the security of the data when it’s being stored on disk. If someone were to get ahold of a server, laptop, or any mobile storage device containing unencrypted sensitive data, you would be considered non-compliant and liable for any resulting damages.
And, don’t forget about the cloud! Any sensitive data being stored in the cloud must also be encrypted.
Unfortunately, most businesses don’t understand the risks of storing too much data about their customers. They’re only seeing things from a business perspective in that the more customer data kept on hand, the more fertile mining grounds there are for marketing opportunities. What they don’t realize is that being subject to PCI compliance means being responsible for all of the confidential data that is stored, including encryption of that data at all times.
What to do: If you’re going to store any confidential data, the only option is to encrypt that data while it’s in motion and while it’s at rest. To make this process less painful, store the absolute minimum data that is required. Remember, everything you keep under your control is your responsibility and will be under the auditor’s scrutiny. The less data you keep, the less you have to prove is securely encrypted at all times. So, if you don’t need it, don’t keep it!
It’s also extremely important that security policies and operational procedures around encryption of cardholder data is documented and communicated to personnel and all relevant parties.
- Bad Password Practices
When it comes to PCI compliance (and overall good password hygiene), creating strong passwords and following a good password protocol is a must.
Strong passwords are one of the most essential foundations of security. Unfortunately, every office still has that person who uses one of the passwords that consistently show up on “stupid password lists” every year. Passwords taking top honor include 12345, 123456, 1234567, and password. Then there’s the person whose password is the same for every account he/she has had for the past ten years—from email to bank account to your trusted network. And, in case that person forgets the password, it can be conveniently found on a sticky note attached to their screen or keyboard.
The PCI DSS is very specific on password standards and policies. To start, under no circumstances are default passwords for systems and devices allowed. Default passwords = Failed audits.
Additional password requirements outlined by the PCI DSS include a minimum password length of seven characters consisting of upper and lower case characters, as well as a mix of numbers and letters. Passwords must also be changed at least every 90 days. And, no passwords that have been used on the account in the last two years are allowed. Moreover, if a user enters a password incorrectly six times, the system must be set to automatically lock them out for 30 minutes or until an administrator resets the account.
One more thing to note — PCI DSS 3.2 adds the requirement of multifactor authentication for any personnel with administrative access to the cardholder data environment, even within the company’s own trusted local network. In other words, a password alone is no longer enough.
What to do: Don’t surrender to the temptation to pick an easy password and don’t make exceptions! Some might argue that segmentation and restricting access to only those who need it will enable you to make exceptions for that VP who doesn’t want to have to learn a “difficult to remember” password. But making exceptions leads to an insecure environment open to attacks like a social engineering hack. What if your VP uses his dog’s name for every account he has and gets exposed through an unrelated breach? A determined hacker could access his email and send a message to someone in IT (who might not know about compliance) that says “get me access to this system.”
Don’t let a weak password be your downfall. Ensure all users abide by the strong password policies that are put in place. You can easily enforce the rules by enabling password parameters in Active Directory, including password complexity, password length, and account lockouts. There are also various third-party tools for managing and enforcing passwords across your entire infrastructure, including servers, applications, network devices, and endpoint devices.
Remember, enforcing strong passwords is about more than passing an audit, it’s about keeping your network and sensitive data protected.
- Poor Documentation
The PCI DSS requires businesses to create and maintain proper documentation of policies and procedures. Unfortunately, the documentation created is often lacking, and the “maintain” part is often neglected. The result is decisions being made based off incomplete, inaccurate, or out-of-date information. This, in turn, can lead to sensitive cardholder data being inadvertently exposed to parts of the network it shouldn’t be and into the hands of someone who shouldn’t have access to it.
Proper, up-to-date documentation plays a critical role in ensuring your cardholder data environment remains secure and it’s a must have if you want to pass a PCI audit.
So why is poor documentation so widespread? One of the main reasons is confusion around who is responsible for what parts of the documentation process. Who sets the policy? Who updates it? Who reviews and approves changes? These are just some of the questions that need to be answered to ensure everyone is on the same page.
What to do: Create a “living document” that someone within your organization updates with every change to the environment. This includes regular review of all documentation to ensure it’s always up-to-date with current policies and procedures. For large enterprises, consider forming a cross-organizational committee that is responsible for the upkeep and dissemination of information. It’s also a good idea to create a knowledge base that is readable by everyone so that your employees are aware of any changes.
If you don’t have the resources or expertise to do this properly, consider hiring an expert security consultant to help you draft and review the required documentation. A security consultant can come in and interview your employees to understand your processes and help assess what needs to go into your documentation. This will help ensure you’re ready for an audit and also give you a solid framework to build off of going forward.
- Non-Compliant Service Providers
When you outsource any of your processes to a third party—whether it’s a payment processing vendor or a managed services provider or website host—you want to believe that when they say “PCI Compliant” that all is well and that you don’t have to worry about any part of the process. Unfortunately, that’s not the case.
The PCI council states that it’s the merchant’s responsibility to ensure any third-party they entrust with their customers’ payment card data actually are PCI compliant. It’s also the merchant’s responsibility to understand who is responsible for what when it comes to outsourcing elements of PCI compliance. Don’t make the mistake of assuming you’re covered because you’ve offloaded certain PCI DSS requirements to a service provider. The PCI council puts the onus on the merchant to ensure all aspects of their cardholder data environment, including third-party vendors or service providers are actually proven compliant as well.
What to do: Make sure to do your due diligence when selecting a third-party service provider. Ask to see evidence of actual compliance reporting or testing from the provider. Additionally, clearly establish and document the service provider’s responsibilities versus your responsibilities and get written acknowledgement from the provider. Lastly, put a process in place to monitor the provider’s PCI compliance. Remember, protecting your customers’ data is ultimately your responsibility.
Too many merchants have been approaching compliance as a project-based endeavor—either a one-and-done situation or a once-a-year review. According to DSS Chief Technology Officer Troy Leach: “Analysis of recent cardholder data breaches and PCI DSS compliance trends reveal that many organizations view PCI DSS compliance as an annual exercise and do not have processes in place to ensure that PCI DSS security controls are continuously enforced. The process of adhering to PCI DSS requirements is what is meant to be ‘PCI compliant’.”
The fact is that security and compliance are not one-time projects, but rather an ongoing process that should be incorporated into your organization’s day-to-day routines. You can’t “set it and forget it” when it comes to security and compliance. To this point, the PCI DSS emphasizes that the security controls implemented as part of compliance should be part of an organization’s business-as-usual (BAU) strategy – the goal being continuous compliance.
What to do: Stay vigilant! Continually monitor security controls to ensure they’re operating effectively and as intended. Doing so will enable you to quickly detect and respond to any failures in those controls. Also, make sure you regularly review processes and procedures, and update them as needed. Along these lines, ensure you have a solid change management process in place that incorporates an impact analysis of changes to the cardholder data environment in relation to the security controls protecting it. By doing so, you can avoid inadvertently opening up a potential security hole that could occur when a new device is added or a configuration change is made to the environment.
Remember, the goal is continuous security and compliance in your organization’s day-to-day routines. Don’t get complacent. Complacency will not only lead to audit failure; It will put your customers’ sensitive data at risk. That’s not a risk you can afford to take.
The Easy Way to Get Ahead of the Curve
The nine points we touched on in Part One and Part Two of these posts may seem a little overwhelming—even if you have been keeping up with your compliance efforts. The good news is that you don’t have to go it alone.
If you lack the in-house resources or expertise, look to a trusted service provider to help. The key is to make sure you are working with third-party vendors or hosting providers with proven experience in PCI compliance. You should also consider hiring an expert to assess your overall compliance status and assist you with getting there. The PCI SSC has a list of Qualified Security Assessors who can help you with this.
Whichever route you take – going it alone or getting help—the time to take action is now. The risks to your business are too high to put it off any longer.
Additional Resources on This Topic: