The PCI Council just announced the revisions planned for PCI-DSS 3.0 and while the updated PCI compliance requirements don’t take effect until January 1, 2015, now is a good time to start planning ahead. In this blog post we’re going to look at what PCI 3.0 compliance means to you, how the requirements will affect your organization’s network security program.
The first key theme of PCI 3.0 is aimed at fixing the lack of awareness around payment security and educating people to better understand how to implement PCI-DSS standards correctly. I’ve always been a huge advocate of education and awareness. How can you do something that you don’t fully understand? I remember years ago when I would do security assessments for companies that actually had pretty good controls in place – except for those servers and firewalls sitting out there that they weren’t aware of! Just like many things in life, your network security is only as good as your weakest link. One of the things that first drew me to AlgoSec is the fact that the software identifies so many things that probably went unnoticed before.
Another key theme in PCI 3.0 is the concept of shared responsibility. I would guess this applies to 99% of companies today. Shared responsibility means all the different people and teams that have a hand in your network’s overall security. Application security, database security, network security, firewall security, on and on. Security is no longer a one-team job, but rather a shared responsibility of many. In addition to internal security, most companies outsource at least some level of functionality to third parties. One of my favorite characters in our industry has always been Larry Ellison. He sums up my exact feelings on “cloud computing” in this video (which also happens to be incredibly entertaining). What is “the cloud”? I have no idea to be honest. Public cloud, private cloud, hybrid cloud, etc. Ask 100 different people what The Cloud is and you’ll get 100 different answers. That being said, the majority of “cloud” functionality is going to end up being a shared responsibility. Whether your cloud functionality is a hosted solution, virtual solution, SaaS, IaaS, PaaS… all of these apply when talking about shared responsibility. You share responsibility for the security of these items with your provider, so make sure they’re keeping up their end of the bargain when it comes to PCI 3.0.
Of course our blog isn’t meant to be a sales pitch, but I want to point out a few ways that AlgoSec Security Management Suite can help you address the latest PCI requirements.
Requirement 1: Have a current diagram that shows cardholder data flows.
This is different than having a network diagram which was previously required. AlgoSec’s own Kyle Wickert recently wrote about the importance of understanding your application flows. The PCI Council must agree since they’re now stressing this too. The latest addition to the AlgoSec Security Management Suite is a product called AlgoSec BusinessFlow. BusinessFlow examines and allows customers to manage the security policy from an application-centric point of view and understand the flows of traffic that these applications take. For instance, look at a website that accepts credit cards. Obviously this website and all of its dependencies will be in scope of PCI. This means the web server, the back-end database or other middleware, the supporting email servers, routers and firewalls, etc. BusinessFlow allows you to view all of the above as an application instead of just single entities. Understanding what is part of an application and how/where it flows is a big part of PCI 3.0.
Requirement 2: Maintain an inventory of in scope components for PCI.
Again, not knowing and understanding what is in your network, especially when it comes to PCI can be a killer. The AlgoSec Suite can help you understand what is out there, what it’s doing, how traffic is flowing through your devices and how to best optimize your network. Even if you keep everything you know about up to spec for PCI, but there are devices sitting out there in your Cardholder Data Environment that you’re unaware of, you’re failing PCI-DSS compliance standards.
Requirement 12: Maintain information about which PCI requirements are managed by your company versus which are managed by service providers.
This goes back to the “shared responsibility” point we looked at earlier. Not only do you need to understand which responsibilities are yours versus your providers, but you need to maintain a list of this now. You can no longer put the responsibility back on your cloud provider and leave it at that. AlgoSec for MSSP’s allows providers to clearly define and track PCI zones in your environment and get a better understanding of responsibility.
All in all, you can see that the majority of changes in PCI 3.0 are clarifications or changes based on the trends we are seeing in security today. Clearly the biggest trend in security today is the cloud and PCI 3.0 is addressing this. So what should you be doing now to plan for this? Understand what’s in your network and what each component is doing, work together as a team with anyone and everyone involved in your PCI in scope network, stay educated and aware and you will be well on your way to PCI 3.0 success!
Receive notifications of new posts by email.